Help with HJT log please(Resolved)

**fishingaddictsinc** · 01-03-2007, 09:22 PM

okaY i AM BACK. THANK YOU FOR YOUR HELP. i KNEW SOMETHIGN WAS LIVING IN THAT SYSYTEM RESTORE i JUST DID NOT KNOW HOW TO FIND IT. Hereis my log from AVg

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:20:55 PM 1/3/2007

+ Scan result:

C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP49\A0007951.exe -> Backdoor.IRCBot.qc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP49\A0007952.exe -> Backdoor.IRCBot.qc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP49\A0007953.exe -> Dropper.Delf.xo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP49\A0007954.exe -> Dropper.Delf.xo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP49\A0007955.exe -> Dropper.Delf.xo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP17\A0002305.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Ignored.
C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP17\A0002306.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Ignored.
C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP17\A0002307.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Ignored.
C:\Documents and Settings\Jonathan Gallimore\My Documents\Key Generators\WINDOWS XP PRO OR HOME KEY GEN KEYGEN, NO ACTIVATION HACK REALL.zip/KeyGen/Files/Windows.exe -> Not-A-Virus.NetTool.Win32.CalcFolding@Home : Ignored.
C:\WINDOWS\system32\LS_DivX_5.0_Pro_Bundle_Patch.e xe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.

::Report end

**jholland1964** · 01-04-2007, 12:12 AM

Well, for my money, I would recommend you DO get rid of these programs; Both are listed as unwanted on several websites;

C:\Documents and Settings\Jonathan Gallimore\My Documents\Key Generators\WINDOWS XP PRO OR HOME KEY GEN KEYGEN, NO ACTIVATION HACK REALL.zip/KeyGen/Files/Windows.exe -> Not-A-Virus.NetTool.Win32.CalcFolding@Home : Ignored.

For those who don't know what a Key Generator is;
Keygens are made available by software cracking groups for free download on various websites dedicated to software piracy.

C:\WINDOWS\system32\LS_DivX_5.0_Pro_Bundle_Patch.e xe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
The bold entry above has been listed on various sites and a potentially unwanted program. I found notes on two different sites that it is being investigated as a Trojan downloader as recently as December 6, 2006. The program it is connected with I could find no information about whatsoever.

Using these types of programs you "may" feel you are getting something for free...you are...just look at what you have ended up with on the computer. Is it worth it? Plus it can cost others dearly too by "sharing" your "free" stuff.
Boot to Safe Mode and uninstall those two via Add/Remove. Do a file search for any remaining from them and remove anything you find.
Then stay in Safe Mode and run the AVG program again and fix whatever is found. Save the log.
Reboot to normal mode and post back here with the new log and we will see how things stand.

**fishingaddictsinc** · 01-04-2007, 11:23 PM

I did everything as asked. I did notice some wierd files in those reports from AVG about Mozilla. I unistalled Mozilla a while ago because something nasty was living in there. I deleted my Mozilla files as well. I deleted every key gen, and then some, that had to do with the problems that you identifed. How does the scan look now. I told the system to quarantine the following file identified by AVG; C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP50\A0008169.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).

I appreciate all of your help. Your skills and knowledge are quite impressive. Thank you.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:15:48 PM 1/4/2007

+ Scan result:

C:\System Volume Information\_restore{9CEC4C85-9771-4F99-8ABC-5B4038690BA4}\RP50\A0008169.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@twci.coremetr ics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Jonathan Gallimore\Cookies\jonathan_gallimore@ad.yieldmanag er[2].txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

**jholland1964** · 01-05-2007, 12:19 AM

This AVG log looks much better and it looks like you did some real cleaning. Bravo to you

Now I am not certain what "wierd files in those reports from AVG about Mozilla" you are talking about. I see two mozilla entries in the very first AVG report;

:mozilla.11:C:\Documents and Settings\Jonathan Gallimore\Application Data\Mozilla\Firefox\Profiles\1oglyeh6.default\coo kies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.7:C:\Documents and Settings\Jonathan Gallimore\Application Data\Mozilla\Firefox\Profiles\1oglyeh6.default\coo kies.txt -> TrackingCookie.Overture : No action taken

There really isn't anything wierd about these two, they are tracking cookies from Overture, which is now owned by Yahoo.
Firefox by Mozilla is one of the safest and most highly recommended browsers around because it is certainly "not susceptible to the same evils as IE", as PP says in his sticky PROTECT YOURSELF FROM MALWARE: Tools & Tips
Follow his steps in that sticky, including the install of SpywareBlaster and use safe surfing practices, stay away from those KeyGen's and file sharing sites and you will be well protected.

Give me one more new HJT scan log to be safe, OK?
Judy

**fishingaddictsinc** · 01-05-2007, 02:16 AM

Okay well i deleted those. they were weird because I removed Firefox. Something nasty was in there. So any Firefox or Mozilla files I am wary of because I do not have that program. C?

Thank you

**fishingaddictsinc** · 01-05-2007, 02:21 AM

okay I like your style.

here is with tea timer on

Logfile of HijackThis v1.99.1
Scan saved at 12:19:41 AM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\Analyze.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

here is without tea timer on
Logfile of HijackThis v1.99.1
Scan saved at 12:20:33 AM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5...ws-i586-jc.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by107fd.bay107.hotmail.msn.co...x/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcg_device - - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**jholland1964** · 01-05-2007, 11:20 AM

The log looks pretty good really. But let me comment on a few things;

First of all, when running an HJT scan it is VITALLY important that ALL unnecessary items be turned OFF.
In each and every one of your HJT scans you can see, in Running Processes, meaning these programs WERE running during the scan one or more of each of the programs noted below;

Internet Explorer
Notepad
Windows Media Player
Windows Messenger Utility

Each one of these can, and should be started manually when used and not set to auto-start with the boot of the computer, the same goes for the Adobe programs. These ALL will slow the boot process and slow down the computer if running all the time and definitely should be turned off when running scans, any kind of scan.

In your post detailing problems experienced you mention that you have multiple svchost.exes running. I went through your logs and counted no more than 5 instances of svchost.exe running in any of the logs. With Windows XP this is completely normal. At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load. Multiple instances of Svchost.exe can and do run at the same time. Each Svchost.exe session can contain a grouping of services. Therefore, separate services can run, depending on how and where Svchost.exe is started. At this very moment my computer also shows 5 instances of svchost.exe running. There is nothing unusual about this.

If you are still concerned about this number, which really is completely normal, you can view the list of services that are running in Svchost by doing this:
1. Click Start on the Windows taskbar, and then click Run.
2. In the Open box, type CMD, and then press ENTER.
3. Type Tasklist /SVC, and then press ENTER.

Just doing the process above I looked at my 5 instances of svchost.exe running and all were legitimate, one of them was running 10 different services necessary for the use of the computer and the other four were running one or two each...all also necessary for the running of the computer.

Now you again say that those cookies found noted in Mozilla were wierd because you had uninstalled it. The program itself may be gone and no longer running, or able to be run, but the Mozilla folder is not. Which also is completely normal. It is located in
C:\Documents and Settings\Jonathan Gallimore\Application Data\
navigate there and you will see, in the Application Data folder, a Mozilla folder. If you wish you can delete that folder.

Whenerver you uninstall a program, after going through the normal uninstall process via Add/Remove, you should always also do a file search on the computer to look for other remaining files with the name of the program. Many, many GOOD programs (and Mozilla is one of them) DO leave behind their file folder (probably for ease of reinstall) which you must remove manually. There was absolutely nothing from Mozilla showing in any of your HJT logs, so there was nothing from Mozilla running on the computer. Those two cookies were in that file. There is nothing wrong with them. Not all cookies are bad, many are necessary for ease of browsing.

Now for TeaTimer. The reason you are told to turn this off;
The removal in Hijackthis of some BHO (Browser Helper Objects), R1 and R0 entries and other startup items that are bad may be impeded by the startup TeaTimer resident program in Spybot Search & Destroy and also SpywareGuard (and other protection programs like WinPatrol, AVG Anti-spy, Spysweeper, etc..).

You may receive prompts during a cleanup process to allow or deny the desired changes, but the prompts will not always show up. The main reason for that is when a malware entry is spotted by TeaTimer or the others, it'll prompt the user, if they say no the change will not be made.... but, as long as the infection remains, these changes will attempt to be made regardless of protection programs. The prompts will most likely drive the user nuts. They'll want to get rid of the prompts and will eventually say ok you win and check the "remember this decision" check box so they'll be left alone. Teatimer remembers that decision and if something else tries to remove any entry that's been made, it'll automatically reject it without prompting the user.

In other words ANY anti-spy program running in the background should be turned off until the cleaning process is complete and you are TOLD to turn them back on. But you do NOT the anti-virus program unless told to do so.

As I said, your log looks good. So, if you agree I believe things are cleaned up. Now I have some suggestions;

I still recommend Firefox OVER Internet Explorer. The only exception of course is Windows Updates where you must use Internet Explorer. Firefox is one of the safest browsers out there.
Firefox keeps you safe from spyware, hackers, scammers and spammers. When you encounter a Web site that is a suspected forgery (known as a “phishing” site) Firefox will warn you and offer to take you to a search page so you can find the real Web site you were looking for. Firefox will not allow a Web site to download, install, or run programs on your computer without your explicit agreement. Period. You will be notified whenever downloading or installing software, and Firefox will always tell you what’s happening so that you can stay in control of your computer.

I really do hope you will download and install SpywareBlaster. It is one of the BEST protection programs available and it is FREE. The best part...It DOES NOT run in the background so it cannot slow down your computer. This is the only constant protection, other than my firewall and anti-virus program that I use. I don't use any background scanners. I do use AVG Anti-spy, AdAwareSE and Spybot for manual scanning weekly but I do not have any of them running in the background.
If you use SpywareBlaster you will be amazed at how little, if anything these other three find during their scans. I do a lot of searching when working on one of these threads. I visit a lot of sites I normally would not visit and I have had NO nasty items show up on my computer because of these searches and I have no other explanation except for the use of SpywareBlaster.

I would also recommend a little program called Mike Lin's StartUp Control Panel
It is a simple, little FREE program that, when you download and install it, can then be found in your Control Panel. It is a super, easy way to control your auto-start programs. I highly recommend it.
Now if you feel the computer is clean I advise that you set new and now clean Restore Point in System Restore by right clicking My Computer. Choose Properties. When System Properties opens choose the System Restore Tab. Place a checkmark in Turn Off System Restore. You will be asked if you are sure, say yes or Ok. System Restore will shut down. Wait a minute and then do the reverse and remove that checkmark and it will come back on with a new, clean Restore point.
Let me know how things progress.
Judy

**fishingaddictsinc** · 01-05-2007, 12:24 PM

Last night I did install Spyware Blaster and I plan in installing a better firewall than Norton or Windows can provide. I would like to monitor incoming and outgoing traffic. I am still not a big fan of Firefox but I agree that it is safer than IE 6. Me, personally, I have been using IE7 for the last 2 months and it has many of the security upgrades that you referenced to Firefox (i.e. phishing filter, notifying about downloads, etc.). Do you know if IE 7 is any safer? I do have Adaware and Spybot already installed and plan to keep AVG as well and use all of them for weekly cleaning of course.

The reason why you kept seeing IE, Notepad, Windows Media Player, and Windows Messenger Utility is because I have those programs open to follow your instructions, listen to music, and receive e-mail notifications. I do use MSCONFIG on my computer and do a selective startup. As of now, the only program that starts when my computer does is Norton, windows, and my java script (and I can probably turn that off too). I wish that I knew how to keep programs from writing themselves as a start up value while installing. Until then I will just turn them off with MSCONFIG or I will use Mike Lin's StartUp Control Panel as you suggested.

Thank you for the info about the svchost.exe files. I was reading up on it after I posted my request and found pretty much exactly, what you had said here, in the Microsoft Knowledge Base.

I understand about tea timer. Thank you. Makes sense and it is off. I did Immunize last night with Spybot too.

Thank you for the search tip after the removal of programs. Typically, I just look in C:\Program Files and find the folder for the program that I uninstalled and erase that program’s folder, files, and everything. Now I will do as you suggest and search the entire computer for any files as well.

I created a restore point last night but I will do as you suggest and create one now.

Finally, I would like to thank you for your help and your knowledge. I am not sure what you get out of helping others like me after all it has to take some time to do what you do but whatever your motives are your heart is solid gold. Keep on doing what you do. WE NEED IT!!! Thanks again.

**jholland1964** · 01-05-2007, 01:13 PM

I cannot say one way or another if IE7 is safer...it IS safe than earlier editions of IE but is it safer than Firefox? I would hesitate to say yes since IE 7 has not been available that long, and no, to anticipate your question, I have not installed it myself yet as I am very satisfied with Firefox 2. Though I know probably at some point I will have to do so. Until then, I will continue with my IE6 for Windows Updates and "surf along" with my Firefox2.
Glad you installed SpywareBlaster. Don't forget to enable it's Restricted Sites option also.

My error when giving the instructions; I should have told you to print out the instructions first. Then you would not need Internet Explorer or Notepad running. However these two; Windows Media Player, and Windows Messenger Utility had absolutely nothing to do with removing malware, spyware, viruses etc., and should have remained closed until all cleaning was complete. Neither one needs to be running all the time.

Norton Firewall DOES provide monitoring of both incoming and outgoing traffic so frankly, a different firewall is not needed. The KEY thing is Only ONE firewall operating on a system, NEVER more than one. So if you do have the Windows Firewall turned on, turn it off. If you have two running it will actually lessen the protection because they will conflict with each other and can let something slip in.

Sounds to me like you have all bases covered. You did great!
Thanks for the kind words. You wonder why I do this? I just love computers and I know how frustrating it is when they don't work as you would like them to or as they should any way I can help others get theirs up and running as fast and as clean as possible is just something I love to do.

Thread: Help with HJT log please(Resolved)

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions