Author Topic: SmartSecurity and other problems (Read 8199 times)

Jarcy · « **Reply #20 on:** November 06, 2005, 03:49:53 PM »

Guestolo,

OK I've run the tool. It didn't find anything. (Just stopped when it had finished). Anything else to try?

Thanks
Jarcy

guestolo · « **Reply #21 on:** November 06, 2005, 06:18:08 PM »

I think we may have to resort to a repair of your system

Afterwards you will have to install the latest Service pack from Windows updates

Beforehand
If McAfee's is expired, and you don't plan on renewing it
I can give you a link to a free virus scanner and firewall
You may want to uninstall Mcafee and office again

Restart afterwards
Use the link to run a Repair on your system
Make sure your running a Repair, follow the instructions closely
http://www.michaelstevenstech.com/XPrepairinstall.htm

When your done come back here and post a fresh hijackthis log

Jarcy · « **Reply #22 on:** November 06, 2005, 07:22:25 PM »

Guestolo,

OK I've run the tool. It didn't find anything. (Just stopped when it had finished). Anything else to try?

Thanks
Jarcy

Jarcy · « **Reply #23 on:** November 06, 2005, 07:55:52 PM »

Sorry, I managed to double post my last message!

I'm willing to pay for a further year's McAffee subscription, unless you recommend your other source in preference. However, I don't want to take down my firewall until I've got something to replace it with lined up.

My PC didn't come with the full CD version of XP, only a "Recovery CD-Rom". However I've browsed the contents and it looks to all intents and purposes like a proper XP installation disc. - It has the options Install, or Upgrade. I haven't followed through the procedure yet as I need to spend some time backing up files, but I didn't see the setup option to repair. Does it sound like this is the CD that I need for this procedure, or should I contact my PC manufacturers' support desk for confirmation?

Thanks, Jarcy.

guestolo · « **Reply #24 on:** November 07, 2005, 07:33:43 PM »

jarcy, sorry for the late reply

The makers of your computer have complete instructions on how to run a repair
I assume you bought the computer at meshcomputers
http://www.meshcomputers.com/Default.aspx?...T_FAQS_SOFTWARE

Before you try any of the above
are all applications behaving this way?

Can you try something for me please
Download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

I would like to see that Hosts file also
Open Hijackthis>>>Then click on the Open Misc tools section
Under the System Tools click the button labelled
Open Hosts file manager

Click the Open in Notepad button, a text file should open
Copy and paste the whole contents back here please

Jarcy · « **Reply #25 on:** November 08, 2005, 06:39:35 PM »

Hi Guestolo,

I've contacted Mesh and got the full repair / XP reinstall instructions, so I'm prepared if this proves the best route to take. Have also ordered a second hard drive to archive all passive files prior to any reinstall (my existing drive was nearing full anyway). My recovery CD IS the full version of XP Pro, so no problems there. Should also have all drivers.

Have run aproposfix.exe in Safe mode.
Here's the Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 10:58:48 PM, on 11/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\John Canfield\My Documents\Download Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

And here is the log.txt file from aproposfix:

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\John Canfield\Desktop\aproposfix

************

Registry entries found:

************

No service found!

Removing hidden folder:
No folder found!

Deleting files:

Backing up files:
Done!

Removing registry entries:

REGEDIT4

Done!

Finished!

And here is Open Hosts file manager from Hijackthis:

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost

Nothing seems to indicate much to me.
However did notice a process running of:
Windows\Explorer.EXE
Isn't this likely to be a virus when running from this folder?

Regarding general system performance, the obvious problems are as follows:

1. McAfee Virus Scan can't be run and crashes every time you try to enable the tool. What's more, any automated instant update reminders also crash before they load. This leads me to believe I've got a nasty virus which targets McAfee to avoid me capturing it.

2. MS Word won't open and crashes. MS Excel will open and you can use a spreadsheet. However you can't open an existing saved file and Excel duly crashes. I have noticed that a comment in the bottom left hand corner say's "requesting virus scan" just prior to Excel crashing. Linked to McAfee perhaps? Powerpoint won't open any saved files.

3. The white borders around open windows has turned a grey/buff colour. This has occured only in the last 2 weeks since starting this troubleshooting! Looks quite nice, but not my doing!

4. If I switch user in XP to my wife's profile, the system slows considerably, and often stalls. (perhaps I know who to blame for dodgy files/emails or poor firewall decisions

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' /> ).

5. I received this email recently. Has someone hijacked my machine?:-
---------
Your question has been received. You should expect a response from us
within 24 hours.

You MUST enter your reply in the space below. Text entered into any
other part of this message will be discarded and your question may not
then be fully answered.

[===> Please enter your reply below this line <===]

[===> Please enter your reply above this line <===]

To update your question from our support site, click on the following
link or paste it into your Web browser.
http://holidayautos.custhelp.com/cgi-bin/h...ated=1131040545

question reference no051103-000544
---------------------------------------------------------------
Summary: Mail System Error - Returned Mail
date created: 03/11/2005 05:55 PM
Last Updated: 03/11/2005 05:55 PM
Status: Unresolved
Booking Reference :
Spain or Portugal?:

Discussion Thread
---------------------------------------------------------------
Customer - 03/11/2005 05:55 PM
Dear user [email protected],

We have found that your account was used to send a large amount of spam during this week.
Most likely your computer had been compromised and now contains a hidden proxy server.

Please follow instructions in order to keep your computer safe.

Best regards,
The mailnj.custhelp.com support team.

==================== application File Attachment ====================
[email protected], 28938 bytes, added to incident

[---001:001315:56836---]
-------------
I also received another email from Holiday Autos advising that an account had been set up in my name, listing my email address. I've never had any contact with this company!

All other software I've tried seems to run fine. Tried Pinnacle Studio 9 (which is very memory and power hungry) but this worked as usual.

Thanks for all your help. Any hope, or is it getting towards starting again from scratch?

Cheers, Jarcy.

guestolo · « **Reply #26 on:** November 08, 2005, 10:24:25 PM »

You posted a hijackthis log from an old version of Hijackthis
Can you post a new log from version 1.99.1
Can you also, download & run this free tool called RootkitRevealer
Scroll to the bottom of that page for the download link

http://www.sysinternals.com/Utilities/RootkitRevealer.html

Unzip Rootkitreavler.zip to desktop and double click on RootKitReavler.exe
Once open click on SCAN
Sit back and wait for the scan to finish
Once finished, Save a log of what was found
By clicking File>>Save
By default the log may want to save to the System32 folder
Try and save it too desktop if possible
Log off other users on the computer

You should also turn off any program that might activate during the scan, such as a screensaver, an antivirus tool, or any other running program. Switching focus to another program, or allowing other programs to activate during the scan, won't cause your system to crash, but doing so may cause the RootkitRevealer program to display inaccurate or misleading results.

Can you also run a hijackthis log from your wifes' profile please and post it here

Jarcy · « **Reply #27 on:** November 10, 2005, 04:53:50 PM »

Guestolo,

Sorry about running the wrong version of Hijackthis.
Here's my correct log:

Logfile of HijackThis v1.99.1
Scan saved at 8:57:46 PM, on 11/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\OSDEAX.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

And here's the log a run under my wife's profile:

Logfile of HijackThis v1.99.1
Scan saved at 8:56:41 PM, on 11/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\OSDMenu.EXE
C:\Program Files\Creative\MediaSource\RemoteControl\OSDEAX.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/1076/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/1076/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINDOWS\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Imv] C:\WINDOWS\Lmn.exe
O4 - HKCU\..\Run: [Hoe] C:\WINDOWS\Ume.exe
O4 - HKCU\..\Run: [Nns] C:\WINDOWS\System32\Ifc.exe
O4 - HKCU\..\Run: [Clp] C:\WINDOWS\Luu.exe
O4 - HKCU\..\Run: [Hub] C:\WINDOWS\Hio.exe
O4 - HKCU\..\Run: [Sre] C:\WINDOWS\Iki.exe
O4 - HKCU\..\Run: [Sci] C:\WINDOWS\Lbq.exe
O4 - HKCU\..\Run: [Gja] C:\WINDOWS\Udh.exe
O4 - HKCU\..\Run: [Lds] C:\WINDOWS\Oje.exe
O4 - HKCU\..\Run: [Kcm] C:\WINDOWS\System32\Tkf.exe
O4 - HKCU\..\Run: [Mes] C:\WINDOWS\Niu.exe
O4 - HKCU\..\Run: [Sbk] C:\WINDOWS\System32\Flv.exe
O4 - HKCU\..\Run: [Jtn] C:\WINDOWS\Nro.exe
O4 - HKCU\..\Run: [Tao] C:\WINDOWS\System32\Akf.exe
O4 - HKCU\..\Run: [Klt] C:\WINDOWS\Nbe.exe
O4 - HKCU\..\Run: [Ohn] C:\WINDOWS\System32\Neg.exe
O4 - HKCU\..\Run: [Bou] C:\WINDOWS\System32\Kme.exe
O4 - HKCU\..\Run: [Jek] C:\WINDOWS\System32\Icv.exe
O4 - HKCU\..\Run: [Pia] C:\WINDOWS\System32\Vgh.exe
O4 - HKCU\..\Run: [Hea] C:\WINDOWS\System32\Ubt.exe
O4 - HKCU\..\Run: [Jgc] C:\WINDOWS\System32\Vct.exe
O4 - HKCU\..\Run: [Evh] C:\WINDOWS\Jre.exe
O4 - HKCU\..\Run: [Sju] C:\WINDOWS\System32\Uva.exe
O4 - HKCU\..\Run: [Uai] C:\WINDOWS\Lfa.exe
O4 - HKCU\..\Run: [Mkh] C:\WINDOWS\System32\Pji.exe
O4 - HKCU\..\Run: [Qrh] C:\WINDOWS\Hfs.exe
O4 - HKCU\..\Run: [Ijo] C:\WINDOWS\Qaj.exe
O4 - HKCU\..\Run: [Osi] C:\WINDOWS\System32\Eqo.exe
O4 - HKCU\..\Run: [Bno] C:\WINDOWS\System32\Maa.exe
O4 - HKCU\..\Run: [Vfg] C:\WINDOWS\System32\Vbo.exe
O4 - HKCU\..\Run: [Jks] C:\WINDOWS\System32\Gje.exe
O4 - HKCU\..\Run: [Npr] C:\WINDOWS\Rvo.exe
O4 - HKCU\..\Run: [Mpu] C:\WINDOWS\System32\Niv.exe
O4 - HKCU\..\Run: [Rcq] C:\WINDOWS\System32\Irh.exe
O4 - HKCU\..\Run: [Mjm] C:\WINDOWS\Uon.exe
O4 - HKCU\..\Run: [Peh] C:\WINDOWS\Mhn.exe
O4 - HKCU\..\Run: [Hlk] C:\WINDOWS\Qne.exe
O4 - HKCU\..\Run: [Tsl] C:\WINDOWS\Mti.exe
O4 - HKCU\..\Run: [Dqm] C:\WINDOWS\System32\Tcq.exe
O4 - HKCU\..\Run: [Fqd] C:\WINDOWS\Sat.exe
O4 - HKCU\..\Run: [Huv] C:\WINDOWS\Roc.exe
O4 - HKCU\..\Run: [Mqa] C:\WINDOWS\Jom.exe
O4 - HKCU\..\Run: [Evs] C:\WINDOWS\Nda.exe
O4 - HKCU\..\Run: [Gqu] C:\WINDOWS\Ngp.exe
O4 - HKCU\..\Run: [Cid] C:\WINDOWS\System32\Ess.exe
O4 - HKCU\..\Run: [Gis] C:\WINDOWS\Acp.exe
O4 - HKCU\..\Run: [Rps] C:\WINDOWS\System32\Dtm.exe
O4 - HKCU\..\Run: [Jea] C:\WINDOWS\System32\Hdp.exe
O4 - HKCU\..\Run: [Pnd] C:\WINDOWS\System32\Nff.exe
O4 - HKCU\..\Run: [Bku] C:\WINDOWS\System32\Sca.exe
O4 - HKCU\..\Run: [Pad] C:\WINDOWS\System32\Psj.exe
O4 - HKCU\..\Run: [Cbh] C:\WINDOWS\Qnf.exe
O4 - HKCU\..\Run: [Bnu] C:\WINDOWS\Evh.exe
O4 - HKCU\..\Run: [Eer] C:\WINDOWS\Rgm.exe
O4 - HKCU\..\Run: [Bkj] C:\WINDOWS\System32\Arb.exe
O4 - HKCU\..\Run: [Eka] C:\WINDOWS\System32\Omr.exe
O4 - HKCU\..\Run: [Vme] C:\WINDOWS\Hun.exe
O4 - HKCU\..\Run: [Tva] C:\WINDOWS\System32\Uuu.exe
O4 - HKCU\..\Run: [Acb] C:\WINDOWS\System32\Bnf.exe
O4 - HKCU\..\Run: [Ldl] C:\WINDOWS\Kma.exe
O4 - HKCU\..\Run: [Mbs] C:\WINDOWS\System32\Ejo.exe
O4 - HKCU\..\Run: [Scn] C:\WINDOWS\Ibv.exe
O4 - HKCU\..\Run: [Ovn] C:\WINDOWS\Fjg.exe
O4 - HKCU\..\Run: [Omr] C:\WINDOWS\Ooi.exe
O4 - HKCU\..\Run: [Fji] C:\WINDOWS\Dbg.exe
O4 - HKCU\..\Run: [Jjr] C:\WINDOWS\Cvc.exe
O4 - HKCU\..\Run: [Esh] C:\WINDOWS\Ldg.exe
O4 - HKCU\..\Run: [Dcs] C:\WINDOWS\Nqd.exe
O4 - HKCU\..\Run: [Irt] C:\WINDOWS\Sqi.exe
O4 - HKCU\..\Run: [Lsl] C:\WINDOWS\System32\Juj.exe
O4 - HKCU\..\Run: [Lbr] C:\WINDOWS\System32\Ncj.exe
O4 - HKCU\..\Run: [Omv] C:\WINDOWS\System32\Efp.exe
O4 - HKCU\..\Run: [Ssa] C:\WINDOWS\Ugd.exe
O4 - HKCU\..\Run: [Lnp] C:\WINDOWS\Ofo.exe
O4 - HKCU\..\Run: [Tda] C:\WINDOWS\Ugg.exe
O4 - HKCU\..\Run: [Hgd] C:\WINDOWS\System32\Rfn.exe
O4 - HKCU\..\Run: [Amh] C:\WINDOWS\Pvb.exe
O4 - HKCU\..\Run: [Ofj] C:\WINDOWS\Muk.exe
O4 - HKCU\..\Run: [Jvf] C:\WINDOWS\System32\Feo.exe
O4 - HKCU\..\Run: [Fsl] C:\WINDOWS\Crl.exe
O4 - HKCU\..\Run: [Tur] C:\WINDOWS\Jfi.exe
O4 - HKCU\..\Run: [Mdd] C:\WINDOWS\Hjh.exe
O4 - HKCU\..\Run: [Lqe] C:\WINDOWS\Psp.exe
O4 - HKCU\..\Run: [Nqi] C:\WINDOWS\System32\Pts.exe
O4 - HKCU\..\Run: [Msf] C:\WINDOWS\Jbp.exe
O4 - HKCU\..\Run: [Dlu] C:\WINDOWS\System32\Vud.exe
O4 - HKCU\..\Run: [Okf] C:\WINDOWS\Veb.exe
O4 - HKCU\..\Run: [Hem] C:\WINDOWS\System32\Hib.exe
O4 - HKCU\..\Run: [Rli] C:\WINDOWS\System32\Cdr.exe
O4 - HKCU\..\Run: [Qdl] C:\WINDOWS\Lph.exe
O4 - HKCU\..\Run: [Qip] C:\WINDOWS\System32\Hve.exe
O4 - HKCU\..\Run: [Quj] C:\WINDOWS\Urk.exe
O4 - HKCU\..\Run: [Dqo] C:\WINDOWS\Qlm.exe
O4 - HKCU\..\Run: [Vov] C:\WINDOWS\Pou.exe
O4 - HKCU\..\Run: [Fec] C:\WINDOWS\System32\Bdn.exe
O4 - HKCU\..\Run: [Tqi] C:\WINDOWS\Jho.exe
O4 - HKCU\..\Run: [Gak] C:\WINDOWS\System32\Dgb.exe
O4 - HKCU\..\Run: [Fgm] C:\WINDOWS\Ldi.exe
O4 - HKCU\..\Run: [Rev] C:\WINDOWS\Kdk.exe
O4 - HKCU\..\Run: [Pmv] C:\WINDOWS\Rps.exe
O4 - HKCU\..\Run: [Hiq] C:\WINDOWS\System32\Uuc.exe
O4 - HKCU\..\Run: [Mjp] C:\WINDOWS\Dkm.exe
O4 - HKCU\..\Run: [Tmu] C:\WINDOWS\System32\Ele.exe
O4 - HKCU\..\Run: [Nto] C:\WINDOWS\Rlc.exe
O4 - HKCU\..\Run: [Qah] C:\WINDOWS\Rbk.exe
O4 - HKCU\..\Run: [Eae] C:\WINDOWS\Bqn.exe
O4 - HKCU\..\Run: [Crq] C:\WINDOWS\System32\Rtg.exe
O4 - HKCU\..\Run: [Ebd] C:\WINDOWS\System32\Tuo.exe
O4 - HKCU\..\Run: [Cnk] C:\WINDOWS\Bvi.exe
O4 - HKCU\..\Run: [Hku] C:\WINDOWS\System32\Pch.exe
O4 - HKCU\..\Run: [Rmm] C:\WINDOWS\Ugq.exe
O4 - HKCU\..\Run: [Jqm] C:\WINDOWS\System32\Grl.exe
O4 - HKCU\..\Run: [Lru] C:\WINDOWS\System32\Tqf.exe
O4 - HKCU\..\Run: [Pob] C:\WINDOWS\Dgo.exe
O4 - HKCU\..\Run: [Rkk] C:\WINDOWS\Veq.exe
O4 - HKCU\..\Run: [Evd] C:\WINDOWS\Fik.exe
O4 - HKCU\..\Run: [Irq] C:\WINDOWS\System32\Rhh.exe
O4 - HKCU\..\Run: [Gtg] C:\WINDOWS\System32\Dlu.exe
O4 - HKCU\..\Run: [Gbt] C:\WINDOWS\Vss.exe
O4 - HKCU\..\Run: [Men] C:\WINDOWS\System32\Mfs.exe
O4 - HKCU\..\Run: [Cov] C:\WINDOWS\System32\Hir.exe
O4 - HKCU\..\Run: [Ntj] C:\WINDOWS\System32\Hai.exe
O4 - HKCU\..\Run: [Lud] C:\WINDOWS\System32\Rgr.exe
O4 - HKCU\..\Run: [Eko] C:\WINDOWS\System32\Grp.exe
O4 - HKCU\..\Run: [Stl] C:\WINDOWS\Ilr.exe
O4 - HKCU\..\Run: [Jnb] C:\WINDOWS\Obq.exe
O4 - HKCU\..\Run: [Ism] C:\WINDOWS\Mtk.exe
O4 - HKCU\..\Run: [Mdl] C:\WINDOWS\System32\Fvq.exe
O4 - HKCU\..\Run: [Nba] C:\WINDOWS\System32\Gst.exe
O4 - HKCU\..\Run: [Joo] C:\WINDOWS\Gja.exe
O4 - HKCU\..\Run: [Ajt] C:\WINDOWS\Jao.exe
O4 - HKCU\..\Run: [Oce] C:\WINDOWS\System32\Fjm.exe
O4 - HKCU\..\Run: [Skp] C:\WINDOWS\System32\Eol.exe
O4 - HKCU\..\Run: [Krb] C:\WINDOWS\System32\Tmj.exe
O4 - HKCU\..\Run: [Ifv] C:\WINDOWS\Hqn.exe
O4 - HKCU\..\Run: [Miu] C:\WINDOWS\Gsu.exe
O4 - HKCU\..\Run: [Iqj] C:\WINDOWS\System32\Rcf.exe
O4 - HKCU\..\Run: [Pjp] C:\WINDOWS\Glt.exe
O4 - HKCU\..\Run: [Bht] C:\WINDOWS\System32\Brq.exe
O4 - HKCU\..\Run: [Pok] C:\WINDOWS\Sja.exe
O4 - HKCU\..\Run: [Ljk] C:\WINDOWS\System32\Ava.exe
O4 - HKCU\..\Run: [Clv] C:\WINDOWS\Qeu.exe
O4 - HKCU\..\Run: [Ibn] C:\WINDOWS\Vje.exe
O4 - HKCU\..\Run: [Hlr] C:\WINDOWS\System32\Cna.exe
O4 - HKCU\..\Run: [Trj] C:\WINDOWS\Fst.exe
O4 - HKCU\..\Run: [Jps] C:\WINDOWS\Vnc.exe
O4 - HKCU\..\Run: [Gvv] C:\WINDOWS\Mah.exe
O4 - HKCU\..\Run: [Glt] C:\WINDOWS\System32\Hkm.exe
O4 - HKCU\..\Run: [Ivd] C:\WINDOWS\System32\Jit.exe
O4 - HKCU\..\Run: [Vgm] C:\WINDOWS\System32\Iok.exe
O4 - HKCU\..\Run: [Kqt] C:\WINDOWS\System32\Rkd.exe
O4 - HKCU\..\Run: [Dgp] C:\WINDOWS\Ffk.exe
O4 - HKCU\..\Run: [Svj] C:\WINDOWS\System32\Vfe.exe
O4 - HKCU\..\Run: [Gvb] C:\WINDOWS\Sko.exe
O4 - HKCU\..\Run: [Dan] C:\WINDOWS\Djk.exe
O4 - HKCU\..\Run: [Nng] C:\WINDOWS\System32\Hjt.exe
O4 - HKCU\..\Run: [Vrf] C:\WINDOWS\System32\Pne.exe
O4 - HKCU\..\Run: [Qbf] C:\WINDOWS\System32\Oek.exe
O4 - HKCU\..\Run: [Ijs] C:\WINDOWS\System32\Rto.exe
O4 - HKCU\..\Run: [Hds] C:\WINDOWS\System32\Som.exe
O4 - HKCU\..\Run: [Eun] C:\WINDOWS\System32\Utb.exe
O4 - HKCU\..\Run: [Mrd] C:\WINDOWS\Vor.exe
O4 - HKCU\..\Run: [Jvt] C:\WINDOWS\System32\Lot.exe
O4 - HKCU\..\Run: [Ver] C:\WINDOWS\System32\Ndc.exe
O4 - HKCU\..\Run: [Dct] C:\WINDOWS\System32\Sds.exe
O4 - HKCU\..\Run: [Kqi] C:\WINDOWS\Kss.exe
O4 - HKCU\..\Run: [Opj] C:\WINDOWS\System32\Ibr.exe
O4 - HKCU\..\Run: [Hht] C:\WINDOWS\System32\Mki.exe
O4 - HKCU\..\Run: [Gst] C:\WINDOWS\System32\Rhf.exe
O4 - HKCU\..\Run: [Nbp] C:\WINDOWS\System32\Vre.exe
O4 - HKCU\..\Run: [Pju] C:\WINDOWS\Fsk.exe
O4 - HKCU\..\Run: [Vim] C:\WINDOWS\System32\Ufn.exe
O4 - HKCU\..\Run: [Qfo] C:\WINDOWS\Bjd.exe
O4 - HKCU\..\Run: [Qmt] C:\WINDOWS\System32\Hgf.exe
O4 - HKCU\..\Run: [Fsn] C:\WINDOWS\Fic.exe
O4 - HKCU\..\Run: [Kpd] C:\WINDOWS\Evn.exe
O4 - HKCU\..\Run: [Ocr] C:\WINDOWS\System32\Por.exe
O4 - HKCU\..\Run: [Hdv] C:\WINDOWS\Rrf.exe
O4 - HKCU\..\Run: [Erk] C:\WINDOWS\System32\Jsb.exe
O4 - HKCU\..\Run: [Cng] C:\WINDOWS\Ffj.exe
O4 - HKCU\..\Run: [Fcb] C:\WINDOWS\Kpq.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\System32\Rpe.exe
O4 - HKCU\..\Run: [Bvr] C:\WINDOWS\Fun.exe
O4 - HKCU\..\Run: [Pma] C:\WINDOWS\System32\Gdt.exe
O4 - HKCU\..\Run: [Etr] C:\WINDOWS\Mep.exe
O4 - HKCU\..\Run: [Rjp] C:\WINDOWS\Igd.exe
O4 - HKCU\..\Run: [Boj] C:\WINDOWS\System32\Pnu.exe
O4 - HKCU\..\Run: [Obl] C:\WINDOWS\System32\Nli.exe
O4 - HKCU\..\Run: [Nem] C:\WINDOWS\System32\Pdh.exe
O4 - HKCU\..\Run: [Nnj] C:\WINDOWS\Nog.exe
O4 - HKCU\..\Run: [Lar] C:\WINDOWS\System32\Vvk.exe
O4 - HKCU\..\Run: [Npm] C:\WINDOWS\Mst.exe
O4 - HKCU\..\Run: [Tmq] C:\WINDOWS\System32\Uam.exe
O4 - HKCU\..\Run: [Kct] C:\WINDOWS\Hkk.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\Vea.exe
O4 - HKCU\..\Run: [Hfu] C:\WINDOWS\System32\Cft.exe
O4 - HKCU\..\Run: [Fef] C:\WINDOWS\Nff.exe
O4 - HKCU\..\Run: [Dao] C:\WINDOWS\System32\Sld.exe
O4 - HKCU\..\Run: [Csc] C:\WINDOWS\System32\Jtc.exe
O4 - HKCU\..\Run: [Hpn] C:\WINDOWS\Ehf.exe
O4 - HKCU\..\Run: [Tnc] C:\WINDOWS\System32\Rnl.exe
O4 - HKCU\..\Run: [Tkd] C:\WINDOWS\System32\Tfq.exe
O4 - HKCU\..\Run: [Cuf] C:\WINDOWS\Ijl.exe
O4 - HKCU\..\Run: [Ebk] C:\WINDOWS\System32\Vqr.exe
O4 - HKCU\..\Run: [Vep] C:\WINDOWS\System32\Rih.exe
O4 - HKCU\..\Run: [Odr] C:\WINDOWS\System32\Fti.exe
O4 - HKCU\..\Run: [Vsr] C:\WINDOWS\Ptp.exe
O4 - HKCU\..\Run: [Ker] C:\WINDOWS\System32\Olh.exe
O4 - HKCU\..\Run: [Oaa] C:\WINDOWS\System32\Ukl.exe
O4 - HKCU\..\Run: [Tod] C:\WINDOWS\Buc.exe
O4 - HKCU\..\Run: [Eed] C:\WINDOWS\System32\Lpi.exe
O4 - HKCU\..\Run: [Oae] C:\WINDOWS\System32\Geq.exe
O4 - HKCU\..\Run: [Sfb] C:\WINDOWS\System32\Fem.exe
O4 - HKCU\..\Run: [Hba] C:\WINDOWS\Tpm.exe
O4 - HKCU\..\Run: [Tup] C:\WINDOWS\Hcu.exe
O4 - HKCU\..\Run: [Ljh] C:\WINDOWS\Bun.exe
O4 - HKCU\..\Run: [Mlm] C:\WINDOWS\System32\Fdt.exe
O4 - HKCU\..\Run: [Jsr] C:\WINDOWS\System32\Uem.exe
O4 - HKCU\..\Run: [Erm] C:\WINDOWS\Min.exe
O4 - HKCU\..\Run: [Rar] C:\WINDOWS\System32\Vba.exe
O4 - HKCU\..\Run: [Vkl] C:\WINDOWS\Jfo.exe
O4 - HKCU\..\Run: [Ukv] C:\WINDOWS\System32\Gqr.exe
O4 - HKCU\..\Run: [Ace] C:\WINDOWS\Jjn.exe
O4 - HKCU\..\Run: [Llq] C:\WINDOWS\Nat.exe
O4 - HKCU\..\Run: [Qce] C:\WINDOWS\Uoj.exe
O4 - HKCU\..\Run: [Pmg] C:\WINDOWS\Erc.exe
O4 - HKCU\..\Run: [Jog] C:\WINDOWS\Dvd.exe
O4 - HKCU\..\Run: [Pba] C:\WINDOWS\System32\Iol.exe
O4 - HKCU\..\Run: [Vau] C:\WINDOWS\System32\Mpf.exe
O4 - HKCU\..\Run: [Gub] C:\WINDOWS\Rtf.exe
O4 - HKCU\..\Run: [Sjt] C:\WINDOWS\System32\Luc.exe
O4 - HKCU\..\Run: [Mel] C:\WINDOWS\Tch.exe
O4 - HKCU\..\Run: [Nal] C:\WINDOWS\System32\Ipc.exe
O4 - HKCU\..\Run: [Nok] C:\WINDOWS\Ial.exe
O4 - HKCU\..\Run: [Pto] C:\WINDOWS\Dda.exe
O4 - HKCU\..\Run: [Tko] C:\WINDOWS\Bfi.exe
O4 - HKCU\..\Run: [Ugl] C:\WINDOWS\System32\Vbg.exe
O4 - HKCU\..\Run: [Brm] C:\WINDOWS\System32\Oaq.exe
O4 - HKCU\..\Run: [Fio] C:\WINDOWS\Agb.exe
O4 - HKCU\..\Run: [Ohe] C:\WINDOWS\Rvu.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Qbj.exe
O4 - HKCU\..\Run: [Iuu] C:\WINDOWS\Lkp.exe
O4 - HKCU\..\Run: [Cre] C:\WINDOWS\System32\Adk.exe
O4 - HKCU\..\Run: [Oqe] C:\WINDOWS\System32\Qut.exe
O4 - HKCU\..\Run: [Nci] C:\WINDOWS\Ejj.exe
O4 - HKCU\..\Run: [Fmn] C:\WINDOWS\Hnu.exe
O4 - HKCU\..\Run: [Pni] C:\WINDOWS\Uve.exe
O4 - HKCU\..\Run: [Qak] C:\WINDOWS\System32\Joo.exe
O4 - HKCU\..\Run: [Gpk] C:\WINDOWS\Fpn.exe
O4 - HKCU\..\Run: [Ntr] C:\WINDOWS\Fpc.exe
O4 - HKCU\..\Run: [Fjv] C:\WINDOWS\System32\Nbn.exe
O4 - HKCU\..\Run: [Fce] C:\WINDOWS\Hph.exe
O4 - HKCU\..\Run: [Gjs] C:\WINDOWS\System32\Jld.exe
O4 - HKCU\..\Run: [Rfb] C:\WINDOWS\System32\Vhh.exe
O4 - HKCU\..\Run: [Ihq] C:\WINDOWS\Uvh.exe
O4 - HKCU\..\Run: [Tvk] C:\WINDOWS\Llv.exe
O4 - HKCU\..\Run: [Afe] C:\WINDOWS\System32\Api.exe
O4 - HKCU\..\Run: [Pkd] C:\WINDOWS\Hor.exe
O4 - HKCU\..\Run: [Gvc] C:\WINDOWS\Lnc.exe
O4 - HKCU\..\Run: [Uub] C:\WINDOWS\Ark.exe
O4 - HKCU\..\Run: [Ugp] C:\WINDOWS\Mbo.exe
O4 - HKCU\..\Run: [Rbb] C:\WINDOWS\Eug.exe
O4 - HKCU\..\Run: [Udk] C:\WINDOWS\Opa.exe
O4 - HKCU\..\Run: [Htk] C:\WINDOWS\System32\Atd.exe
O4 - HKCU\..\Run: [Gsd] C:\WINDOWS\Scd.exe
O4 - HKCU\..\Run: [Bdm] C:\WINDOWS\System32\Lev.exe
O4 - HKCU\..\Run: [Utp] C:\WINDOWS\System32\Ikf.exe
O4 - HKCU\..\Run: [Qqf] C:\WINDOWS\Oun.exe
O4 - HKCU\..\Run: [Nuf] C:\WINDOWS\Rhp.exe
O4 - HKCU\..\Run: [Jji] C:\WINDOWS\Cjc.exe
O4 - HKCU\..\Run: [Aki] C:\WINDOWS\System32\Sbg.exe
O4 - HKCU\..\Run: [Jcl] C:\WINDOWS\System32\Ihv.exe
O4 - HKCU\..\Run: [Mcc] C:\WINDOWS\Vmq.exe
O4 - HKCU\..\Run: [Kui] C:\WINDOWS\Bjh.exe
O4 - HKCU\..\Run: [Unk] C:\WINDOWS\Kqc.exe
O4 - HKCU\..\Run: [Fgv] C:\WINDOWS\System32\Usr.exe
O4 - HKCU\..\Run: [Stv] C:\WINDOWS\System32\Egl.exe
O4 - HKCU\..\Run: [Sth] C:\WINDOWS\System32\Pro.exe
O4 - HKCU\..\Run: [Pei] C:\WINDOWS\Bqp.exe
O4 - HKCU\..\Run: [Qmb] C:\WINDOWS\System32\Prs.exe
O4 - HKCU\..\Run: [Jlq] C:\WINDOWS\Kpp.exe
O4 - HKCU\..\Run: [Avp] C:\WINDOWS\Nlp.exe
O4 - HKCU\..\Run: [Lpi] C:\WINDOWS\Dqo.exe
O4 - HKCU\..\Run: [Iar] C:\WINDOWS\System32\Chb.exe
O4 - HKCU\..\Run: [Igo] C:\WINDOWS\System32\Ctt.exe
O4 - HKCU\..\Run: [Aak] C:\WINDOWS\Efv.exe
O4 - HKCU\..\Run: [Son] C:\WINDOWS\Ghd.exe
O4 - HKCU\..\Run: [Dep] C:\WINDOWS\Vpi.exe
O4 - HKCU\..\Run: [Lto] C:\WINDOWS\Naj.exe
O4 - HKCU\..\Run: [Svh] C:\WINDOWS\Nht.exe
O4 - HKCU\..\Run: [Hou] C:\WINDOWS\Bcn.exe
O4 - HKCU\..\Run: [Isj] C:\WINDOWS\Upu.exe
O4 - HKCU\..\Run: [Bsn] C:\WINDOWS\Imj.exe
O4 - HKCU\..\Run: [Qcc] C:\WINDOWS\Hvn.exe
O4 - HKCU\..\Run: [Vvp] C:\WINDOWS\Hct.exe
O4 - HKCU\..\Run: [Ttn] C:\WINDOWS\Bpv.exe
O4 - HKCU\..\Run: [Gah] C:\WINDOWS\Qvt.exe
O4 - HKCU\..\Run: [Pjv] C:\WINDOWS\Ebg.exe
O4 - HKCU\..\Run: [Qgl] C:\WINDOWS\Bhb.exe
O4 - HKCU\..\Run: [Vfd] C:\WINDOWS\Gha.exe
O4 - HKCU\..\Run: [Qol] C:\WINDOWS\Jid.exe
O4 - HKCU\..\Run: [Fag] C:\WINDOWS\System32\Sme.exe
O4 - HKCU\..\Run: [Peo] C:\WINDOWS\Bms.exe
O4 - HKCU\..\Run: [Lhd] C:\WINDOWS\System32\Ktc.exe
O4 - HKCU\..\Run: [Mjr] C:\WINDOWS\Dch.exe
O4 - HKCU\..\Run: [Knl] C:\WINDOWS\System32\Qlg.exe
O4 - HKCU\..\Run: [Emp] C:\WINDOWS\System32\Ord.exe
O4 - HKCU\..\Run: [Aru] C:\WINDOWS\Hpk.exe
O4 - HKCU\..\Run: [Jcn] C:\WINDOWS\System32\Iqg.exe
O4 - HKCU\..\Run: [Rlf] C:\WINDOWS\System32\Knn.exe
O4 - HKCU\..\Run: [Kjv] C:\WINDOWS\Mqq.exe
O4 - HKCU\..\Run: [Vda] C:\WINDOWS\Gqi.exe
O4 - HKCU\..\Run: [Tfk] C:\WINDOWS\System32\Vjl.exe
O4 - HKCU\..\Run: [Eob] C:\WINDOWS\System32\Tms.exe
O4 - HKCU\..\Run: [Eav] C:\WINDOWS\System32\Nnr.exe
O4 - HKCU\..\Run: [Vil] C:\WINDOWS\Npt.exe
O4 - HKCU\..\Run: [Fvi] C:\WINDOWS\Tik.exe
O4 - HKCU\..\Run: [Ifl] C:\WINDOWS\Kln.exe
O4 - HKCU\..\Run: [Old] C:\WINDOWS\Lol.exe
O4 - HKCU\..\Run: [Jao] C:\WINDOWS\System32\Ehi.exe
O4 - HKCU\..\Run: [Mte] C:\WINDOWS\Rtl.exe
O4 - HKCU\..\Run: [Qrm] C:\WINDOWS\System32\Lrk.exe
O4 - HKCU\..\Run: [Dfi] C:\WINDOWS\Usa.exe
O4 - HKCU\..\Run: [Tih] C:\WINDOWS\Nio.exe
O4 - HKCU\..\Run: [Ssc] C:\WINDOWS\Idp.exe
O4 - HKCU\..\Run: [Uqt] C:\WINDOWS\Ton.exe
O4 - HKCU\..\Run: [Bjd] C:\WINDOWS\System32\Qch.exe
O4 - HKCU\..\Run: [Uhb] C:\WINDOWS\System32\Ktt.exe
O4 - HKCU\..\Run: [Eti] C:\WINDOWS\System32\Qae.exe
O4 - HKCU\..\Run: [Gpb] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Olf] C:\WINDOWS\Bfc.exe
O4 - HKCU\..\Run: [Ecp] C:\WINDOWS\Giu.exe
O4 - HKCU\..\Run: [Ere] C:\WINDOWS\System32\Fua.exe
O4 - HKCU\..\Run: [Sqv] C:\WINDOWS\System32\Pts.exe
O4 - HKCU\..\Run: [Obq] C:\WINDOWS\System32\Kvc.exe
O4 - HKCU\..\Run: [Kaj] C:\WINDOWS\Ivn.exe
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb033
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

Seems there's lots here that needs checking!!

Here's the result from Rootkitrevealer:

HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*   9/4/2005 3:16 PM   0 bytes   Key name contains embedded nulls (*)
HKLM\SOFTWARE\Sonic Desktop Software\Common\LibraryFilesFolder   9/5/2005 6:24 PM   87 bytes   Data mismatch between Windows API and raw hive data.

Thanks again,
Jarcy

guestolo · « **Reply #28 on:** November 12, 2005, 11:23:21 AM »

I tried to reply earlier, but my replies weren't getting through

On th wife's account
Can you do the following

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/1076/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/1076/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php?qq=

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Imv] C:\WINDOWS\Lmn.exe
O4 - HKCU\..\Run: [Hoe] C:\WINDOWS\Ume.exe
O4 - HKCU\..\Run: [Nns] C:\WINDOWS\System32\Ifc.exe
O4 - HKCU\..\Run: [Clp] C:\WINDOWS\Luu.exe
O4 - HKCU\..\Run: [Hub] C:\WINDOWS\Hio.exe
O4 - HKCU\..\Run: [Sre] C:\WINDOWS\Iki.exe
O4 - HKCU\..\Run: [Sci] C:\WINDOWS\Lbq.exe
O4 - HKCU\..\Run: [Gja] C:\WINDOWS\Udh.exe
O4 - HKCU\..\Run: [Lds] C:\WINDOWS\Oje.exe
O4 - HKCU\..\Run: [Kcm] C:\WINDOWS\System32\Tkf.exe
O4 - HKCU\..\Run: [Mes] C:\WINDOWS\Niu.exe
O4 - HKCU\..\Run: [Sbk] C:\WINDOWS\System32\Flv.exe
O4 - HKCU\..\Run: [Jtn] C:\WINDOWS\Nro.exe
O4 - HKCU\..\Run: [Tao] C:\WINDOWS\System32\Akf.exe
O4 - HKCU\..\Run: [Klt] C:\WINDOWS\Nbe.exe
O4 - HKCU\..\Run: [Ohn] C:\WINDOWS\System32\Neg.exe
O4 - HKCU\..\Run: [Bou] C:\WINDOWS\System32\Kme.exe
O4 - HKCU\..\Run: [Jek] C:\WINDOWS\System32\Icv.exe
O4 - HKCU\..\Run: [Pia] C:\WINDOWS\System32\Vgh.exe
O4 - HKCU\..\Run: [Hea] C:\WINDOWS\System32\Ubt.exe
O4 - HKCU\..\Run: [Jgc] C:\WINDOWS\System32\Vct.exe
O4 - HKCU\..\Run: [Evh] C:\WINDOWS\Jre.exe
O4 - HKCU\..\Run: [Sju] C:\WINDOWS\System32\Uva.exe
O4 - HKCU\..\Run: [Uai] C:\WINDOWS\Lfa.exe
O4 - HKCU\..\Run: [Mkh] C:\WINDOWS\System32\Pji.exe
O4 - HKCU\..\Run: [Qrh] C:\WINDOWS\Hfs.exe
O4 - HKCU\..\Run: [Ijo] C:\WINDOWS\Qaj.exe
O4 - HKCU\..\Run: [Osi] C:\WINDOWS\System32\Eqo.exe
O4 - HKCU\..\Run: [Bno] C:\WINDOWS\System32\Maa.exe
O4 - HKCU\..\Run: [Vfg] C:\WINDOWS\System32\Vbo.exe
O4 - HKCU\..\Run: [Jks] C:\WINDOWS\System32\Gje.exe
O4 - HKCU\..\Run: [Npr] C:\WINDOWS\Rvo.exe
O4 - HKCU\..\Run: [Mpu] C:\WINDOWS\System32\Niv.exe
O4 - HKCU\..\Run: [Rcq] C:\WINDOWS\System32\Irh.exe
O4 - HKCU\..\Run: [Mjm] C:\WINDOWS\Uon.exe
O4 - HKCU\..\Run: [Peh] C:\WINDOWS\Mhn.exe
O4 - HKCU\..\Run: [Hlk] C:\WINDOWS\Qne.exe
O4 - HKCU\..\Run: [Tsl] C:\WINDOWS\Mti.exe
O4 - HKCU\..\Run: [Dqm] C:\WINDOWS\System32\Tcq.exe
O4 - HKCU\..\Run: [Fqd] C:\WINDOWS\Sat.exe
O4 - HKCU\..\Run: [Huv] C:\WINDOWS\Roc.exe
O4 - HKCU\..\Run: [Mqa] C:\WINDOWS\Jom.exe
O4 - HKCU\..\Run: [Evs] C:\WINDOWS\Nda.exe
O4 - HKCU\..\Run: [Gqu] C:\WINDOWS\Ngp.exe
O4 - HKCU\..\Run: [Cid] C:\WINDOWS\System32\Ess.exe
O4 - HKCU\..\Run: [Gis] C:\WINDOWS\Acp.exe
O4 - HKCU\..\Run: [Rps] C:\WINDOWS\System32\Dtm.exe
O4 - HKCU\..\Run: [Jea] C:\WINDOWS\System32\Hdp.exe
O4 - HKCU\..\Run: [Pnd] C:\WINDOWS\System32\Nff.exe
O4 - HKCU\..\Run: [Bku] C:\WINDOWS\System32\Sca.exe
O4 - HKCU\..\Run: [Pad] C:\WINDOWS\System32\Psj.exe
O4 - HKCU\..\Run: [Cbh] C:\WINDOWS\Qnf.exe
O4 - HKCU\..\Run: [Bnu] C:\WINDOWS\Evh.exe
O4 - HKCU\..\Run: [Eer] C:\WINDOWS\Rgm.exe
O4 - HKCU\..\Run: [Bkj] C:\WINDOWS\System32\Arb.exe
O4 - HKCU\..\Run: [Eka] C:\WINDOWS\System32\Omr.exe
O4 - HKCU\..\Run: [Vme] C:\WINDOWS\Hun.exe
O4 - HKCU\..\Run: [Tva] C:\WINDOWS\System32\Uuu.exe
O4 - HKCU\..\Run: [Acb] C:\WINDOWS\System32\Bnf.exe
O4 - HKCU\..\Run: [Ldl] C:\WINDOWS\Kma.exe
O4 - HKCU\..\Run: [Mbs] C:\WINDOWS\System32\Ejo.exe
O4 - HKCU\..\Run: [Scn] C:\WINDOWS\Ibv.exe
O4 - HKCU\..\Run: [Ovn] C:\WINDOWS\Fjg.exe
O4 - HKCU\..\Run: [Omr] C:\WINDOWS\Ooi.exe
O4 - HKCU\..\Run: [Fji] C:\WINDOWS\Dbg.exe
O4 - HKCU\..\Run: [Jjr] C:\WINDOWS\Cvc.exe
O4 - HKCU\..\Run: [Esh] C:\WINDOWS\Ldg.exe
O4 - HKCU\..\Run: [Dcs] C:\WINDOWS\Nqd.exe
O4 - HKCU\..\Run: [Irt] C:\WINDOWS\Sqi.exe
O4 - HKCU\..\Run: [Lsl] C:\WINDOWS\System32\Juj.exe
O4 - HKCU\..\Run: [Lbr] C:\WINDOWS\System32\Ncj.exe
O4 - HKCU\..\Run: [Omv] C:\WINDOWS\System32\Efp.exe
O4 - HKCU\..\Run: [Ssa] C:\WINDOWS\Ugd.exe
O4 - HKCU\..\Run: [Lnp] C:\WINDOWS\Ofo.exe
O4 - HKCU\..\Run: [Tda] C:\WINDOWS\Ugg.exe
O4 - HKCU\..\Run: [Hgd] C:\WINDOWS\System32\Rfn.exe
O4 - HKCU\..\Run: [Amh] C:\WINDOWS\Pvb.exe
O4 - HKCU\..\Run: [Ofj] C:\WINDOWS\Muk.exe
O4 - HKCU\..\Run: [Jvf] C:\WINDOWS\System32\Feo.exe
O4 - HKCU\..\Run: [Fsl] C:\WINDOWS\Crl.exe
O4 - HKCU\..\Run: [Tur] C:\WINDOWS\Jfi.exe
O4 - HKCU\..\Run: [Mdd] C:\WINDOWS\Hjh.exe
O4 - HKCU\..\Run: [Lqe] C:\WINDOWS\Psp.exe
O4 - HKCU\..\Run: [Nqi] C:\WINDOWS\System32\Pts.exe
O4 - HKCU\..\Run: [Msf] C:\WINDOWS\Jbp.exe
O4 - HKCU\..\Run: [Dlu] C:\WINDOWS\System32\Vud.exe
O4 - HKCU\..\Run: [Okf] C:\WINDOWS\Veb.exe
O4 - HKCU\..\Run: [Hem] C:\WINDOWS\System32\Hib.exe
O4 - HKCU\..\Run: [Rli] C:\WINDOWS\System32\Cdr.exe
O4 - HKCU\..\Run: [Qdl] C:\WINDOWS\Lph.exe
O4 - HKCU\..\Run: [Qip] C:\WINDOWS\System32\Hve.exe
O4 - HKCU\..\Run: [Quj] C:\WINDOWS\Urk.exe
O4 - HKCU\..\Run: [Dqo] C:\WINDOWS\Qlm.exe
O4 - HKCU\..\Run: [Vov] C:\WINDOWS\Pou.exe
O4 - HKCU\..\Run: [Fec] C:\WINDOWS\System32\Bdn.exe
O4 - HKCU\..\Run: [Tqi] C:\WINDOWS\Jho.exe
O4 - HKCU\..\Run: [Gak] C:\WINDOWS\System32\Dgb.exe
O4 - HKCU\..\Run: [Fgm] C:\WINDOWS\Ldi.exe
O4 - HKCU\..\Run: [Rev] C:\WINDOWS\Kdk.exe
O4 - HKCU\..\Run: [Pmv] C:\WINDOWS\Rps.exe
O4 - HKCU\..\Run: [Hiq] C:\WINDOWS\System32\Uuc.exe
O4 - HKCU\..\Run: [Mjp] C:\WINDOWS\Dkm.exe
O4 - HKCU\..\Run: [Tmu] C:\WINDOWS\System32\Ele.exe
O4 - HKCU\..\Run: [Nto] C:\WINDOWS\Rlc.exe
O4 - HKCU\..\Run: [Qah] C:\WINDOWS\Rbk.exe
O4 - HKCU\..\Run: [Eae] C:\WINDOWS\Bqn.exe
O4 - HKCU\..\Run: [Crq] C:\WINDOWS\System32\Rtg.exe
O4 - HKCU\..\Run: [Ebd] C:\WINDOWS\System32\Tuo.exe
O4 - HKCU\..\Run: [Cnk] C:\WINDOWS\Bvi.exe
O4 - HKCU\..\Run: [Hku] C:\WINDOWS\System32\Pch.exe
O4 - HKCU\..\Run: [Rmm] C:\WINDOWS\Ugq.exe
O4 - HKCU\..\Run: [Jqm] C:\WINDOWS\System32\Grl.exe
O4 - HKCU\..\Run: [Lru] C:\WINDOWS\System32\Tqf.exe
O4 - HKCU\..\Run: [Pob] C:\WINDOWS\Dgo.exe
O4 - HKCU\..\Run: [Rkk] C:\WINDOWS\Veq.exe
O4 - HKCU\..\Run: [Evd] C:\WINDOWS\Fik.exe
O4 - HKCU\..\Run: [Irq] C:\WINDOWS\System32\Rhh.exe
O4 - HKCU\..\Run: [Gtg] C:\WINDOWS\System32\Dlu.exe
O4 - HKCU\..\Run: [Gbt] C:\WINDOWS\Vss.exe
O4 - HKCU\..\Run: [Men] C:\WINDOWS\System32\Mfs.exe
O4 - HKCU\..\Run: [Cov] C:\WINDOWS\System32\Hir.exe
O4 - HKCU\..\Run: [Ntj] C:\WINDOWS\System32\Hai.exe
O4 - HKCU\..\Run: [Lud] C:\WINDOWS\System32\Rgr.exe
O4 - HKCU\..\Run: [Eko] C:\WINDOWS\System32\Grp.exe
O4 - HKCU\..\Run: [Stl] C:\WINDOWS\Ilr.exe
O4 - HKCU\..\Run: [Jnb] C:\WINDOWS\Obq.exe
O4 - HKCU\..\Run: [Ism] C:\WINDOWS\Mtk.exe
O4 - HKCU\..\Run: [Mdl] C:\WINDOWS\System32\Fvq.exe
O4 - HKCU\..\Run: [Nba] C:\WINDOWS\System32\Gst.exe
O4 - HKCU\..\Run: [Joo] C:\WINDOWS\Gja.exe
O4 - HKCU\..\Run: [Ajt] C:\WINDOWS\Jao.exe
O4 - HKCU\..\Run: [Oce] C:\WINDOWS\System32\Fjm.exe
O4 - HKCU\..\Run: [Skp] C:\WINDOWS\System32\Eol.exe
O4 - HKCU\..\Run: [Krb] C:\WINDOWS\System32\Tmj.exe
O4 - HKCU\..\Run: [Ifv] C:\WINDOWS\Hqn.exe
O4 - HKCU\..\Run: [Miu] C:\WINDOWS\Gsu.exe
O4 - HKCU\..\Run: [Iqj] C:\WINDOWS\System32\Rcf.exe
O4 - HKCU\..\Run: [Pjp] C:\WINDOWS\Glt.exe
O4 - HKCU\..\Run: [Bht] C:\WINDOWS\System32\Brq.exe
O4 - HKCU\..\Run: [Pok] C:\WINDOWS\Sja.exe
O4 - HKCU\..\Run: [Ljk] C:\WINDOWS\System32\Ava.exe
O4 - HKCU\..\Run: [Clv] C:\WINDOWS\Qeu.exe
O4 - HKCU\..\Run: [Ibn] C:\WINDOWS\Vje.exe
O4 - HKCU\..\Run: [Hlr] C:\WINDOWS\System32\Cna.exe
O4 - HKCU\..\Run: [Trj] C:\WINDOWS\Fst.exe
O4 - HKCU\..\Run: [Jps] C:\WINDOWS\Vnc.exe
O4 - HKCU\..\Run: [Gvv] C:\WINDOWS\Mah.exe
O4 - HKCU\..\Run: [Glt] C:\WINDOWS\System32\Hkm.exe
O4 - HKCU\..\Run: [Ivd] C:\WINDOWS\System32\Jit.exe
O4 - HKCU\..\Run: [Vgm] C:\WINDOWS\System32\Iok.exe
O4 - HKCU\..\Run: [Kqt] C:\WINDOWS\System32\Rkd.exe
O4 - HKCU\..\Run: [Dgp] C:\WINDOWS\Ffk.exe
O4 - HKCU\..\Run: [Svj] C:\WINDOWS\System32\Vfe.exe
O4 - HKCU\..\Run: [Gvb] C:\WINDOWS\Sko.exe
O4 - HKCU\..\Run: [Dan] C:\WINDOWS\Djk.exe
O4 - HKCU\..\Run: [Nng] C:\WINDOWS\System32\Hjt.exe
O4 - HKCU\..\Run: [Vrf] C:\WINDOWS\System32\Pne.exe
O4 - HKCU\..\Run: [Qbf] C:\WINDOWS\System32\Oek.exe
O4 - HKCU\..\Run: [Ijs] C:\WINDOWS\System32\Rto.exe
O4 - HKCU\..\Run: [Hds] C:\WINDOWS\System32\Som.exe
O4 - HKCU\..\Run: [Eun] C:\WINDOWS\System32\Utb.exe
O4 - HKCU\..\Run: [Mrd] C:\WINDOWS\Vor.exe
O4 - HKCU\..\Run: [Jvt] C:\WINDOWS\System32\Lot.exe
O4 - HKCU\..\Run: [Ver] C:\WINDOWS\System32\Ndc.exe
O4 - HKCU\..\Run: [Dct] C:\WINDOWS\System32\Sds.exe
O4 - HKCU\..\Run: [Kqi] C:\WINDOWS\Kss.exe
O4 - HKCU\..\Run: [Opj] C:\WINDOWS\System32\Ibr.exe
O4 - HKCU\..\Run: [Hht] C:\WINDOWS\System32\Mki.exe
O4 - HKCU\..\Run: [Gst] C:\WINDOWS\System32\Rhf.exe
O4 - HKCU\..\Run: [Nbp] C:\WINDOWS\System32\Vre.exe
O4 - HKCU\..\Run: [Pju] C:\WINDOWS\Fsk.exe
O4 - HKCU\..\Run: [Vim] C:\WINDOWS\System32\Ufn.exe
O4 - HKCU\..\Run: [Qfo] C:\WINDOWS\Bjd.exe
O4 - HKCU\..\Run: [Qmt] C:\WINDOWS\System32\Hgf.exe
O4 - HKCU\..\Run: [Fsn] C:\WINDOWS\Fic.exe
O4 - HKCU\..\Run: [Kpd] C:\WINDOWS\Evn.exe
O4 - HKCU\..\Run: [Ocr] C:\WINDOWS\System32\Por.exe
O4 - HKCU\..\Run: [Hdv] C:\WINDOWS\Rrf.exe
O4 - HKCU\..\Run: [Erk] C:\WINDOWS\System32\Jsb.exe
O4 - HKCU\..\Run: [Cng] C:\WINDOWS\Ffj.exe
O4 - HKCU\..\Run: [Fcb] C:\WINDOWS\Kpq.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\System32\Rpe.exe
O4 - HKCU\..\Run: [Bvr] C:\WINDOWS\Fun.exe
O4 - HKCU\..\Run: [Pma] C:\WINDOWS\System32\Gdt.exe
O4 - HKCU\..\Run: [Etr] C:\WINDOWS\Mep.exe
O4 - HKCU\..\Run: [Rjp] C:\WINDOWS\Igd.exe
O4 - HKCU\..\Run: [Boj] C:\WINDOWS\System32\Pnu.exe
O4 - HKCU\..\Run: [Obl] C:\WINDOWS\System32\Nli.exe
O4 - HKCU\..\Run: [Nem] C:\WINDOWS\System32\Pdh.exe
O4 - HKCU\..\Run: [Nnj] C:\WINDOWS\Nog.exe
O4 - HKCU\..\Run: [Lar] C:\WINDOWS\System32\Vvk.exe
O4 - HKCU\..\Run: [Npm] C:\WINDOWS\Mst.exe
O4 - HKCU\..\Run: [Tmq] C:\WINDOWS\System32\Uam.exe
O4 - HKCU\..\Run: [Kct] C:\WINDOWS\Hkk.exe
O4 - HKCU\..\Run: [Gml] C:\WINDOWS\Vea.exe
O4 - HKCU\..\Run: [Hfu] C:\WINDOWS\System32\Cft.exe
O4 - HKCU\..\Run: [Fef] C:\WINDOWS\Nff.exe
O4 - HKCU\..\Run: [Dao] C:\WINDOWS\System32\Sld.exe
O4 - HKCU\..\Run: [Csc] C:\WINDOWS\System32\Jtc.exe
O4 - HKCU\..\Run: [Hpn] C:\WINDOWS\Ehf.exe
O4 - HKCU\..\Run: [Tnc] C:\WINDOWS\System32\Rnl.exe
O4 - HKCU\..\Run: [Tkd] C:\WINDOWS\System32\Tfq.exe
O4 - HKCU\..\Run: [Cuf] C:\WINDOWS\Ijl.exe
O4 - HKCU\..\Run: [Ebk] C:\WINDOWS\System32\Vqr.exe
O4 - HKCU\..\Run: [Vep] C:\WINDOWS\System32\Rih.exe
O4 - HKCU\..\Run: [Odr] C:\WINDOWS\System32\Fti.exe
O4 - HKCU\..\Run: [Vsr] C:\WINDOWS\Ptp.exe
O4 - HKCU\..\Run: [Ker] C:\WINDOWS\System32\Olh.exe
O4 - HKCU\..\Run: [Oaa] C:\WINDOWS\System32\Ukl.exe
O4 - HKCU\..\Run: [Tod] C:\WINDOWS\Buc.exe
O4 - HKCU\..\Run: [Eed] C:\WINDOWS\System32\Lpi.exe
O4 - HKCU\..\Run: [Oae] C:\WINDOWS\System32\Geq.exe
O4 - HKCU\..\Run: [Sfb] C:\WINDOWS\System32\Fem.exe
O4 - HKCU\..\Run: [Hba] C:\WINDOWS\Tpm.exe
O4 - HKCU\..\Run: [Tup] C:\WINDOWS\Hcu.exe
O4 - HKCU\..\Run: [Ljh] C:\WINDOWS\Bun.exe
O4 - HKCU\..\Run: [Mlm] C:\WINDOWS\System32\Fdt.exe
O4 - HKCU\..\Run: [Jsr] C:\WINDOWS\System32\Uem.exe
O4 - HKCU\..\Run: [Erm] C:\WINDOWS\Min.exe
O4 - HKCU\..\Run: [Rar] C:\WINDOWS\System32\Vba.exe
O4 - HKCU\..\Run: [Vkl] C:\WINDOWS\Jfo.exe
O4 - HKCU\..\Run: [Ukv] C:\WINDOWS\System32\Gqr.exe
O4 - HKCU\..\Run: [Ace] C:\WINDOWS\Jjn.exe
O4 - HKCU\..\Run: [Llq] C:\WINDOWS\Nat.exe
O4 - HKCU\..\Run: [Qce] C:\WINDOWS\Uoj.exe
O4 - HKCU\..\Run: [Pmg] C:\WINDOWS\Erc.exe
O4 - HKCU\..\Run: [Jog] C:\WINDOWS\Dvd.exe
O4 - HKCU\..\Run: [Pba] C:\WINDOWS\System32\Iol.exe
O4 - HKCU\..\Run: [Vau] C:\WINDOWS\System32\Mpf.exe
O4 - HKCU\..\Run: [Gub] C:\WINDOWS\Rtf.exe
O4 - HKCU\..\Run: [Sjt] C:\WINDOWS\System32\Luc.exe
O4 - HKCU\..\Run: [Mel] C:\WINDOWS\Tch.exe
O4 - HKCU\..\Run: [Nal] C:\WINDOWS\System32\Ipc.exe
O4 - HKCU\..\Run: [Nok] C:\WINDOWS\Ial.exe
O4 - HKCU\..\Run: [Pto] C:\WINDOWS\Dda.exe
O4 - HKCU\..\Run: [Tko] C:\WINDOWS\Bfi.exe
O4 - HKCU\..\Run: [Ugl] C:\WINDOWS\System32\Vbg.exe
O4 - HKCU\..\Run: [Brm] C:\WINDOWS\System32\Oaq.exe
O4 - HKCU\..\Run: [Fio] C:\WINDOWS\Agb.exe
O4 - HKCU\..\Run: [Ohe] C:\WINDOWS\Rvu.exe
O4 - HKCU\..\Run: [Gut] C:\WINDOWS\Qbj.exe
O4 - HKCU\..\Run: [Iuu] C:\WINDOWS\Lkp.exe
O4 - HKCU\..\Run: [Cre] C:\WINDOWS\System32\Adk.exe
O4 - HKCU\..\Run: [Oqe] C:\WINDOWS\System32\Qut.exe
O4 - HKCU\..\Run: [Nci] C:\WINDOWS\Ejj.exe
O4 - HKCU\..\Run: [Fmn] C:\WINDOWS\Hnu.exe
O4 - HKCU\..\Run: [Pni] C:\WINDOWS\Uve.exe
O4 - HKCU\..\Run: [Qak] C:\WINDOWS\System32\Joo.exe
O4 - HKCU\..\Run: [Gpk] C:\WINDOWS\Fpn.exe
O4 - HKCU\..\Run: [Ntr] C:\WINDOWS\Fpc.exe
O4 - HKCU\..\Run: [Fjv] C:\WINDOWS\System32\Nbn.exe
O4 - HKCU\..\Run: [Fce] C:\WINDOWS\Hph.exe
O4 - HKCU\..\Run: [Gjs] C:\WINDOWS\System32\Jld.exe
O4 - HKCU\..\Run: [Rfb] C:\WINDOWS\System32\Vhh.exe
O4 - HKCU\..\Run: [Ihq] C:\WINDOWS\Uvh.exe
O4 - HKCU\..\Run: [Tvk] C:\WINDOWS\Llv.exe
O4 - HKCU\..\Run: [Afe] C:\WINDOWS\System32\Api.exe
O4 - HKCU\..\Run: [Pkd] C:\WINDOWS\Hor.exe
O4 - HKCU\..\Run: [Gvc] C:\WINDOWS\Lnc.exe
O4 - HKCU\..\Run: [Uub] C:\WINDOWS\Ark.exe
O4 - HKCU\..\Run: [Ugp] C:\WINDOWS\Mbo.exe
O4 - HKCU\..\Run: [Rbb] C:\WINDOWS\Eug.exe
O4 - HKCU\..\Run: [Udk] C:\WINDOWS\Opa.exe
O4 - HKCU\..\Run: [Htk] C:\WINDOWS\System32\Atd.exe
O4 - HKCU\..\Run: [Gsd] C:\WINDOWS\Scd.exe
O4 - HKCU\..\Run: [Bdm] C:\WINDOWS\System32\Lev.exe
O4 - HKCU\..\Run: [Utp] C:\WINDOWS\System32\Ikf.exe
O4 - HKCU\..\Run: [Qqf] C:\WINDOWS\Oun.exe
O4 - HKCU\..\Run: [Nuf] C:\WINDOWS\Rhp.exe
O4 - HKCU\..\Run: [Jji] C:\WINDOWS\Cjc.exe
O4 - HKCU\..\Run: [Aki] C:\WINDOWS\System32\Sbg.exe
O4 - HKCU\..\Run: [Jcl] C:\WINDOWS\System32\Ihv.exe
O4 - HKCU\..\Run: [Mcc] C:\WINDOWS\Vmq.exe
O4 - HKCU\..\Run: [Kui] C:\WINDOWS\Bjh.exe
O4 - HKCU\..\Run: [Unk] C:\WINDOWS\Kqc.exe
O4 - HKCU\..\Run: [Fgv] C:\WINDOWS\System32\Usr.exe
O4 - HKCU\..\Run: [Stv] C:\WINDOWS\System32\Egl.exe
O4 - HKCU\..\Run: [Sth] C:\WINDOWS\System32\Pro.exe
O4 - HKCU\..\Run: [Pei] C:\WINDOWS\Bqp.exe
O4 - HKCU\..\Run: [Qmb] C:\WINDOWS\System32\Prs.exe
O4 - HKCU\..\Run: [Jlq] C:\WINDOWS\Kpp.exe
O4 - HKCU\..\Run: [Avp] C:\WINDOWS\Nlp.exe
O4 - HKCU\..\Run: [Lpi] C:\WINDOWS\Dqo.exe
O4 - HKCU\..\Run: [Iar] C:\WINDOWS\System32\Chb.exe
O4 - HKCU\..\Run: [Igo] C:\WINDOWS\System32\Ctt.exe
O4 - HKCU\..\Run: [Aak] C:\WINDOWS\Efv.exe
O4 - HKCU\..\Run: [Son] C:\WINDOWS\Ghd.exe
O4 - HKCU\..\Run: [Dep] C:\WINDOWS\Vpi.exe
O4 - HKCU\..\Run: [Lto] C:\WINDOWS\Naj.exe
O4 - HKCU\..\Run: [Svh] C:\WINDOWS\Nht.exe
O4 - HKCU\..\Run: [Hou] C:\WINDOWS\Bcn.exe
O4 - HKCU\..\Run: [Isj] C:\WINDOWS\Upu.exe
O4 - HKCU\..\Run: [Bsn] C:\WINDOWS\Imj.exe
O4 - HKCU\..\Run: [Qcc] C:\WINDOWS\Hvn.exe
O4 - HKCU\..\Run: [Vvp] C:\WINDOWS\Hct.exe
O4 - HKCU\..\Run: [Ttn] C:\WINDOWS\Bpv.exe
O4 - HKCU\..\Run: [Gah] C:\WINDOWS\Qvt.exe
O4 - HKCU\..\Run: [Pjv] C:\WINDOWS\Ebg.exe
O4 - HKCU\..\Run: [Qgl] C:\WINDOWS\Bhb.exe
O4 - HKCU\..\Run: [Vfd] C:\WINDOWS\Gha.exe
O4 - HKCU\..\Run: [Qol] C:\WINDOWS\Jid.exe
O4 - HKCU\..\Run: [Fag] C:\WINDOWS\System32\Sme.exe
O4 - HKCU\..\Run: [Peo] C:\WINDOWS\Bms.exe
O4 - HKCU\..\Run: [Lhd] C:\WINDOWS\System32\Ktc.exe
O4 - HKCU\..\Run: [Mjr] C:\WINDOWS\Dch.exe
O4 - HKCU\..\Run: [Knl] C:\WINDOWS\System32\Qlg.exe
O4 - HKCU\..\Run: [Emp] C:\WINDOWS\System32\Ord.exe
O4 - HKCU\..\Run: [Aru] C:\WINDOWS\Hpk.exe
O4 - HKCU\..\Run: [Jcn] C:\WINDOWS\System32\Iqg.exe
O4 - HKCU\..\Run: [Rlf] C:\WINDOWS\System32\Knn.exe
O4 - HKCU\..\Run: [Kjv] C:\WINDOWS\Mqq.exe
O4 - HKCU\..\Run: [Vda] C:\WINDOWS\Gqi.exe
O4 - HKCU\..\Run: [Tfk] C:\WINDOWS\System32\Vjl.exe
O4 - HKCU\..\Run: [Eob] C:\WINDOWS\System32\Tms.exe
O4 - HKCU\..\Run: [Eav] C:\WINDOWS\System32\Nnr.exe
O4 - HKCU\..\Run: [Vil] C:\WINDOWS\Npt.exe
O4 - HKCU\..\Run: [Fvi] C:\WINDOWS\Tik.exe
O4 - HKCU\..\Run: [Ifl] C:\WINDOWS\Kln.exe
O4 - HKCU\..\Run: [Old] C:\WINDOWS\Lol.exe
O4 - HKCU\..\Run: [Jao] C:\WINDOWS\System32\Ehi.exe
O4 - HKCU\..\Run: [Mte] C:\WINDOWS\Rtl.exe
O4 - HKCU\..\Run: [Qrm] C:\WINDOWS\System32\Lrk.exe
O4 - HKCU\..\Run: [Dfi] C:\WINDOWS\Usa.exe
O4 - HKCU\..\Run: [Tih] C:\WINDOWS\Nio.exe
O4 - HKCU\..\Run: [Ssc] C:\WINDOWS\Idp.exe
O4 - HKCU\..\Run: [Uqt] C:\WINDOWS\Ton.exe
O4 - HKCU\..\Run: [Bjd] C:\WINDOWS\System32\Qch.exe
O4 - HKCU\..\Run: [Uhb] C:\WINDOWS\System32\Ktt.exe
O4 - HKCU\..\Run: [Eti] C:\WINDOWS\System32\Qae.exe
O4 - HKCU\..\Run: [Gpb] C:\WINDOWS\System32\Vsq.exe
O4 - HKCU\..\Run: [Olf] C:\WINDOWS\Bfc.exe
O4 - HKCU\..\Run: [Ecp] C:\WINDOWS\Giu.exe
O4 - HKCU\..\Run: [Ere] C:\WINDOWS\System32\Fua.exe
O4 - HKCU\..\Run: [Sqv] C:\WINDOWS\System32\Pts.exe
O4 - HKCU\..\Run: [Obq] C:\WINDOWS\System32\Kvc.exe
O4 - HKCU\..\Run: [Kaj] C:\WINDOWS\Ivn.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer

Back in Windows
The items found by Rootkit Revealer look harmless
but can you do the following

Download and Save F-secure's Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"

Jarcy · « **Reply #29 on:** November 13, 2005, 06:49:24 PM »

Guestolo,

I've checked the items through Hijackthis under my wife's profile.
Blacklight didn't find any hidden items, but here's the log:

11/13/05 23:41:20 [Info]: BlackLight Engine 1.0.25 initialized
11/13/05 23:41:20 [Info]: OS: 5.1 build 2600 (Service Pack 1)
11/13/05 23:41:20 [Note]: 4019 4
11/13/05 23:41:20 [Note]: 4005 0
11/13/05 23:41:38 [Note]: 4006 0
11/13/05 23:41:38 [Note]: 4011 1832
11/13/05 23:41:39 [Note]: FSRAW library version 1.7.1013

Unfortunately none of the current problems have improved yet.

Many thanks, Jarcy.

guestolo · « **Reply #30 on:** November 13, 2005, 08:29:20 PM »

When I asked you to do this
Did you follow all the steps completely?

Quote

Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script.

If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to.

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it "Cannot find script file "blah blah blah" then don't worry just double click the cleandesktop.vbs script again as you sometimes get that message when a script blocker blocks the script.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up
Another vbs is included to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs.

Open C:\ (Go to Start – Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5

You will need to do this step for every user account

Can you also randomly look for any of these files we removed with hijackthis
Do any exist
Eg...
C:\WINDOWS\Jre.exe <-this file
C:\WINDOWS\System32\Uva.exe <-file

Do you have any other user accounts on this computer?

That log you saved earlier with Ewido, is it visible now, can you post it if it is

Jarcy · « **Reply #31 on:** November 14, 2005, 06:35:39 PM »

Guestolo,

I did originally run the cleandesktop against each of my 4 user accounts, but I've rerun it again against each. I also ran Hijackthis against the 2 remaining user accounts, and took the liberty of checking and removing the following:

User Adam,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/1076/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/1076/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php

User Sam,

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/1076/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/1076/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/1076/search.php?O4 - HKCU\..\Run: [Otl] C:\WINDOWS\System32\Vgm.exe
O4 - HKCU\..\Run: [Unf] C:\WINDOWS\System32\Rep.exe
O4 - HKCU\..\Run: [Uns] C:\WINDOWS\Hkt.exe
O4 - HKCU\..\Run: [Ana] C:\WINDOWS\System32\Fvq.exe
O4 - HKCU\..\Run: [Frp] C:\WINDOWS\System32\Nub.exe
O4 - HKCU\..\Run: [Fnn] C:\WINDOWS\System32\Eho.exe

I found the original Ewido log. Here it is:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         7:29:32 AM, 10/20/2005
+ Report-Checksum:      CDE33FDB

+ Scan result:

   HKLM\SOFTWARE\180solutions -> Spyware.180Solutions : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\adm.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75} -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\AppID\{99A8E2B2-3405-4C0D-9110-131C14CAAF62} -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE} -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0} -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Classes\GSDA.GSDACtl\CLSID\\ -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Classes\GSDA.GSDACtl.1\CLSID\\ -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{29E825AA-13BC-457C-806A-D72E4A25B3C5} -> Spyware.BrilliantDigital : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{29E825AA-13BC-457C-806A-D72E4A25B3C5}\TypeLib\\ -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438} -> Spyware.BrilliantDigital : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{E79DADC6-18D0-4A2A-831F-D196D41F8438}\TypeLib\\ -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Classes\LocalNRDDll.LocalNRDDllObj.1 -> Spyware.BetterInternet : Cleaned with backup
   HKLM\SOFTWARE\Classes\LocalNRDDll.LocalNRDDllObj.1\CLSID\\ -> Spyware.TwainTech : Cleaned with backup
   HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\text/html\\CLSID -> Spyware.Hijacker.Generic : Cleaned with backup
   HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain\\CLSID -> Spyware.Hijacker.Generic : Cleaned with backup
   HKLM\SOFTWARE\Classes\SearchRelevant\CLSID\\ -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Classes\Updater.BHO\CLSID\\ -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B72F75B8-93F3-429D-B13E-660B206D897A} -> Spyware.Hijacker.Generic : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gsda.dll\\.Owner -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/gsda.dll\\{70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} -> Spyware.GameSpyArcade : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\.Owner -> Spyware.Gator : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1101.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltnetDM -> Spyware.Altnet : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Search Engine!!! -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Relevancy -> Spyware.SearchRelevancy : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows ControlAd -> Spyware.BlazeFind : Cleaned with backup
   HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
   HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
   HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
   C:\Documents and Settings\John Canfield\My Documents\Download Software\backup-20040928-211232-167.dll -> Spyware.Wesbar : Cleaned with backup
   C:\Documents and Settings\John Canfield\My Documents\Download Software\backup-20040928-211232-841.dll -> Spyware.MyWebSearch : Cleaned with backup
   C:\Documents and Settings\John Canfield\My Documents\Download Software\backup-20040929-012615-805.dll -> Spyware.BiSpy : Cleaned with backup
   C:\Program Files\Kazaa\TopSearch.dll -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\SearchRelevant\SearchRelevant.dll -> Spyware.Relevance : Cleaned with backup
   C:\Program Files\Windows AdControl\WinAdShift.dll -> Spyware.WinAD : Cleaned with backup
   C:\Program Files\Windows TaskAd\WinProject.dll -> Spyware.WinAD : Cleaned with backup
   C:\Program Files\Windows TaskAd\WinTaskAd.exe -> Spyware.WinAD : Cleaned with backup
   C:\RECYCLER\S-1-5-21-4018580023-3645477719-86686005-1009\Dc7.exe -> Spyware.ConsCorr : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\gsda.dll -> Dialer.Generic : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.PornWare.PopCap.b : Cleaned with backup
   C:\WINDOWS\LastGood\ZServ.dll -> Spyware.BiSpy : Cleaned with backup
   C:\WINDOWS\preInsln.exe -> Spyware.BiSpy : Cleaned with backup
   C:\WINDOWS\pss\winupdate25236385[1].exeStartup -> TrojanDownloader.Small.ait : Cleaned with backup
   C:\WINDOWS\pss\winupdate87250345[1].exeStartup -> TrojanDownloader.Small.ait : Cleaned with backup
   C:\WINDOWS\system32\20723828.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\20723968.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\315046.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\54885734.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\6148843.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\6149078.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\661218.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\78387359.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\8072218.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\82312.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\9101531.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\948609.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\949906.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\98671.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\f3pssavr.scr -> Spyware.MyWebSearch : Cleaned with backup
   C:\WINDOWS\system32\mszx23.exe -> Backdoor.Haxdoor.bh : Cleaned with backup
   C:\WINDOWS\system32\notepad.exe -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\system32\winlow.sys -> Backdoor.Haxdoor.bb : Cleaned with backup
   C:\WINDOWS\ZServ.dll_tobedeleted -> Spyware.DlMax : Cleaned with backup

::Report End

And I rerun the report today, and it still fixed 17 items. Here's the report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         11:16:20 PM, 11/14/2005
+ Report-Checksum:      557CB4EE

+ Scan result:

   HKU\S-1-5-21-4018580023-3645477719-86686005-1007\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\180solutions -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\180solutions\msbb -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\LocalNRD -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1008\Software\ZServ -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\180solutions -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\180solutions\msbb -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\LocalNRD -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1009\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\180solutions -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\180solutions\msbb -> Spyware.180Solutions : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\LocalNRD -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{07B18EA9-A523-4961-B6BB-170DE4475CCA} -> Spyware.MyWebSearch : Cleaned with backup
   HKU\S-1-5-21-4018580023-3645477719-86686005-1010\Software\ZServ -> Spyware.BetterInternet : Cleaned with backup

::Report End

Do you want me to post a new hijackthis for my other 2 user accounts?

Many thanks again.

Jarcy

guestolo · « **Reply #32 on:** November 14, 2005, 11:34:43 PM »

Yes please
Post the logs from the other users

I want to try this one more time
From my signature below, try and run an online virus scan at Kaspersky's
You will be promted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
o Scan Options:
Scan Archives
Scan Mail Bases
* Click OK
* Now under select a target to scan:
Select My Computer
* This program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste that information in your next post.

Jarcy · « **Reply #33 on:** November 15, 2005, 05:32:32 PM »

Guestolo,

Well, I tried to run Kaspersky's, but it crashes. To be more precise, once I click on OK, to install the ActiveX component, the usual prompt - "Internet Explorer has encounted a problem and needs to close. We are sorry for the inconvenience" appears and once I click on "don't send", Explorer closes down.

My guess is that a clever virus knows which virus scanners are likely to pick it up, and hence crashes them before they get a chance to open.

Here's the Hijackthis logs for the other 2 users:

Adam:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:12 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.meshcomputers.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] C:\Program Files\Creative\SBAudigy2ZS\Program\Startup Menu\ChkColor.EXE
O4 - HKCU\..\Run: [Creative MediaSource Go] C:\Program Files\Creative\MediaSource\GO\CTCMSGo.exe /SCB
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Bln] C:\WINDOWS\Tnf.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IDMan] C:\PROGRA~1\INTERN~2\IDMan.exe /onboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: KE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\KE.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

And Sam:

Logfile of HijackThis v1.99.1
Scan saved at 9:59:06 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.meshcomputers.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali Internet Access
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [VirusScanMSC] "C:\Program Files\McAfee\McAfee VirusScan\VSStat.exe" /EMBEDDING
O4 - HKLM\..\Run: [IFSplash] ImmSplsh.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members14.clubphoto.com/_img/upload...tl_uploader.cab
O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - http://down.plaxo.com/down/release/PlaxoInstall.cab
O16 - DPF: {18D9C485-7EEC-4395-95DA-DC3875B10E81} (TEInstallPlugIn) - http://www.skylinesoft.com/interactive/ter...stallPlugIn.cab
O16 - DPF: {3a4f9191-65a8-11d5-85c1-0001023952c1} (TE) - http://www.skylinesoft.com/interactive/ter.../install/TE.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Internet Security (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Internet Security\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: KE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\KE.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsu[censored]a Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\WINDOWS\System32\x10nets.exe (file missing)

Do you think this one has beaten me? Is it time to reinstall XP, or should I try anything else?

Many thanks for all your help. Jarcy

guestolo · « **Reply #34 on:** November 17, 2005, 12:08:13 AM »

I think this has beaten me too, I'm not sure what's happening

I still see the following that needs cleaned
Run hijackthis and fix checked this entry

O4 - HKCU\..\Run: [Bln] C:\WINDOWS\Tnf.exe

Also fix this one, it's looks legit but it's running from the temp folder
O23 - Service: KE - Sysinternals - www.sysinternals.com - C:\DOCUME~1\JOHNCA~1\LOCALS~1\Temp\KE.exe

Reboot the computer

Back in Windows
I suggest that if McAfee's is expired you uninstall it completely and then reboot the computer
This should eliminate the possibility it is corrupt
I would remove all of it
I have free solutions if you need it

Back in Windows
Yup, your right, if everything is still bad, go ahead and Repair the system
Then come back here and let me know how everythings going
You will have to reinstall Service packs for Windows

Make sure you backup important files and folders beforehand
Just to be safe

Jarcy · « **Reply #35 on:** November 20, 2005, 07:22:12 PM »

Guestolo,

Will try the XP repair route. Need to spend time backing up now (if I could only get my new HDD to work. I'm sure it's faulty so am going to exchange it. - but that's another story!).

You mentioned that you have a recommendation for a free virus scanner. Is it as good as say McAfee or Norton? If so, yes please, could you post details. Also I think you've mentioned in the past a recommended firewall? I want to set up parental controls, as the kids are using the 'net more now. I was going to use the McAfee tools, but does your recommendation have an alternative solution?

Many thanks again.

Jarcy.

Jarcy · « **Reply #36 on:** November 24, 2005, 07:21:13 PM »

Guestolo,

Do you have any recommendations for alternative Virus scan and firewall?

Many thanks,

Jarcy

guestolo · « **Reply #37 on:** November 24, 2005, 10:01:29 PM »

Here's what I suggest if you want the free tools for the family computer

Anti-Virus software>>AVAST

Firewall>>I would Update to Windows service pack 2
It includes a better firewall, some say not the best, but it does the job
However, If your like many and want a better firewall than XP provides
I suggest either
Sygates or ZoneAlarm

Both have free versions
Don't run more that one Software Firewall on your computer, this includes the firewall built into XP
that goes for an AV too
This can cause conflicts and decrease system performance

For Spyware and other malware>> I have 3 tools I always have installed
All free
Ad-Aware SE Personal 1.06
Spybot 1.4
Microsoft Anti-Spyware Beta

2 of the above have realtime protection
Spybot has the TeaTimer and MAS also has realtime protection
I recommend not enabling the tea timer and only use the realtime protections built into MAS
But in Spybot I would use the Immunize feature
Click Immunize>>OK>>Immunize at the top green cross
Do that after every update
This way the only program really running in the background is MAS out of those 3

I would also install SpywareBlaster
Doesn't run in the background
Just install it>>Check for updates>>click the "Enable all protection" link
Do this after every update>>>You should check for updates every couple of weeks

I hope this helps
All the links to those programs can be found HERE

Jarcy · « **Reply #38 on:** December 01, 2005, 09:34:17 AM »

Guestolo,

Many thanks for the suggestions. It's an invaluable list when coupled with advice as to which to run realtime.
One day someone will develop a solution to cover everything. (Thought that's what I was buying when I purchased McAfee Internet Security, but not so). I'm now backing up to a new hard drive, prior to running the XP repair / reinstall. Will post how I get on.

Many thanks!
Jarcy.

News:

Author Topic: SmartSecurity and other problems (Read 8199 times)