**HJT logs**

  1. 20-06-2006  #1
    k-sparky-k
    k-sparky-k is offline Full Member

    **HJT logs**

    I got a probelm i think its a virus it has the pop up"your computers infected...." here my hjt logs

    Logfile of HijackThis v1.99.1
    Scan saved at 3:50:56 PM, on 20/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
    C:\windows\system\hpsysdrv.exe
    C:\Windows\system32\HpSrvUI.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
    C:\WINPENJR\Win32\pphidpad.exe
    C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\windows\system32\drivers\helpsys\msnexplorer.ex e
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
    C:\WINPENJR\Win32\acremchk.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    c:\varoi.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet Cable
    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: XBTP05231 Class - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
    O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
    O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
    O4 - HKLM\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.ex e
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [MSN Explorer] C:\windows\system32\drivers\helpsys\msnexplorer.ex e
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Global Startup: DVD@ccess.lnk = ?
    O4 - Global Startup: PenPower Email Touchpad.lnk = ?
    O4 - Global Startup: PenPower PenKeyboard.lnk = C:\WINPENJR\win32\penkeybd.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www
    O16 - DPF: ConferenceRoom Java Client - http://chat.bigpond.com/java/cr.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
    O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
    O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.shizmoo.com/activex/web665.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
    O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file)
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file)
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O20 - Winlogon Notify: gdimxp - gdimxp.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

  3. 20-06-2006  #2
    k-sparky-k
    k-sparky-k is offline Full Member
    also i did a ewido scan, here are the new hjt logs

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 4:55:19 PM, 20/06/2006
    + Report-Checksum: 8892C9AA

    + Scan result:

    [632] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Cleaned with backup
    [656] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [708] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [720] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [872] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [928] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [992] C:\WINDOWS\System32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1052] C:\WINDOWS\System32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1104] C:\WINDOWS\System32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1324] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1392] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1388] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1620] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1756] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1800] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1944] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1980] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1996] C:\Windows\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [2004] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [2012] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [2020] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [164] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [180] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [212] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [236] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [244] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [276] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [316] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [372] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [380] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [404] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [416] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [420] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [440] C:\windows\system32\drivers\helpsys\msnexplorer.ex e -> Backdoor.Agent.vk : Cleaned with backup
    [448] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [768] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [972] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1152] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1572] C:\WINDOWS\System32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1632] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1616] C:\WINDOWS\System32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1788] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [2264] C:\WINDOWS\System32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [2324] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [2464] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [3232] C:\WINDOWS\system32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1280] C:\WINDOWS\System32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [256] C:\WINDOWS\System32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [1784] C:\WINDOWS\System32\ordermas2.dll -> Trojan.Gobex : Error during cleaning
    [3732] c:\varoi.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
    C:\Documents and Settings\k-sparky-k\Local Settings\Temp\Rar$EX24.515\crack.exe -> Downloader.Adload.bo : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Atdmt : Cleaned with backup
    :mozilla.33:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Targetnet : Cleaned with backup
    :mozilla.37:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.38:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Targetnet : Cleaned with backup
    :mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Targetnet : Cleaned with backup
    :mozilla.41:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Burstnet : Cleaned with backup
    :mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.49:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
    :mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Statcounter : Cleaned with backup
    :mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    :mozilla.137:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
    :mozilla.156:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned with backup
    :mozilla.157:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Euroclick : Cleaned with backup
    :mozilla.158:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.159:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.160:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Advertising : Cleaned with backup
    :mozilla.166:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Com : Cleaned with backup
    :mozilla.170:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.177:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.190:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
    :mozilla.207:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.208:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.209:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.210:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.211:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.212:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.213:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.217:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Esomniture : Cleaned with backup
    :mozilla.218:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.219:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.220:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.221:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.222:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
    :mozilla.224:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    :mozilla.230:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup
    :mozilla.270:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    :mozilla.281:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\8dhts87h.default\coo kies.txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@digitalhomediscountpt yltd.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll -> Adware.Softomate : Cleaned with backup
    C:\Program Files\Warcraft III\URL2FILE.EXE -> Not-A-Virus.Downloader.Win32.Url2File.a : Cleaned with backup
    C:\tlls.exe -> Downloader.Small.chk : Cleaned with backup
    C:\varoi.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
    C:\WINDOWS\system32\drivers\helpsys\msnexplorer.ex e -> Backdoor.Agent.vk : Cleaned with backup


    ::Report End

    Logfile of HijackThis v1.99.1
    Scan saved at 5:00:26 PM, on 20/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
    C:\windows\system\hpsysdrv.exe
    C:\Windows\system32\HpSrvUI.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
    C:\WINPENJR\Win32\pphidpad.exe
    C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exe
    C:\WINPENJR\Win32\acremchk.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet Cable
    F2 - REG:system.ini: Shell=explorer.exe
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: XBTP05231 Class - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
    O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
    O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
    O4 - HKLM\..\Run: [orderShell] C:\Documents and Settings\k-sparky-k\orderxfly.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O4 - Global Startup: DVD@ccess.lnk = ?
    O4 - Global Startup: PenPower Email Touchpad.lnk = ?
    O4 - Global Startup: PenPower PenKeyboard.lnk = C:\WINPENJR\win32\penkeybd.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www
    O16 - DPF: ConferenceRoom Java Client - http://chat.bigpond.com/java/cr.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
    O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
    O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.shizmoo.com/activex/web665.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
    O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file)
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file)
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O20 - Winlogon Notify: gdimxp - gdimxp.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    Last edited by k-sparky-k; 20-06-2006 at 08:01 AM.
  4. 20-06-2006  #3
    VopThis
    VopThis is offline Senior Member (Canada)
    O4 - HKCU\..\Run: [SHELL] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    http://www.processlibrary.com/directory/files/ibm00001/



    I'm afraid I have unpleasant news for you. You have a very dangerous infection on this machine. With a serious infection like this, I would recommend that you seriously consider a reformat and reinstall.

    If you do not want to do this, do not ever use the computer for anything confidential. Let us know how you wish to proceed.


    The infection installs itself primarily in machines that have not had all the Win XP updates installed. It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to anything else present...

    My best recommendation is to Disconnect from internet, Re-Format the entire drive and re-install your Operating system and Applications.

    We can likely clean the infected files off the computer but we cannot be sure that the files involved didn't do anything to your system to reduce overall system security. Even after removal of the infection, you could be vulnerable to another attack or takeover as soon as you connect to the net again.

    You are strongly advised to do the following immediately:
    1. Disconnect infected computer from the Internet and from any networked computers until the computer can be cleaned.

    2. If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts and/or change all your account numbers.

    3. From a clean computer, change *ALL* your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

    Also take any other steps appropriate for an attempted identity theft.







    Having said all the above, two minimum items should be cleaned as an interim measure:


    Read over the following directions. Ask if anything appears unclear to you.


    Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
    http://www.thatcomputerguy.us/downloads/clean.bat



    We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

    SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

    O4 - HKLM\..\Run: [ORDERSHELL] C:\Documents and Settings\k-sparky-k\orderxfly.exe
    O4 - HKCU\..\Run: [SHELL] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

    Make sure that all browser windows and internet links are closed, even this one!
    CLICK ’FIX CHECKED’ with HijackThis.



    HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

    SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



    Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

    Go to Start > Run and type: CLEANMGR.EXE and hit enter.
    When prompted select the C: drive and click ok.
    Check the boxes for:
    • Temporary Internet Files
    • Downloaded Program Files
    • Recycle Bin
    • Temporary Files
    Click OK or Enter

    For additional, more thorough cleaning and for multi-profile user configurations:
    (*) Run Clean.bat to clean up your TEMPorary files.

    ***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.




    Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


    DELETE FILES:

    C:\Documents and Settings\k-sparky-k\orderxfly.exe
    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe



    Re-run Ewido if you wish. However, as stated, the nature of your PC's infection may never truly be resolvable with 100% confidence.


    POST A REVISED HIJACKTHIS LOG for review:
    Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
  5. 24-06-2006  #4
    k-sparky-k
    k-sparky-k is offline Full Member
    sorry i wasnt able to connect to the site till now.

    Logfile of HijackThis v1.99.1
    Scan saved at 11:25:58 AM, on 24/06/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Windows\system32\HpSrvUI.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Lexmark 4200 Series\lxbmbmon.exe
    C:\WINPENJR\Win32\pphidpad.exe
    C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\WINPENJR\Win32\acremchk.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet Cable
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: XBTP05231 Class - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
    O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [Lexmark 4200 Series] "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
    O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] "C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - Global Startup: DVD@ccess.lnk = ?
    O4 - Global Startup: PenPower Email Touchpad.lnk = ?
    O4 - Global Startup: PenPower PenKeyboard.lnk = C:\WINPENJR\win32\penkeybd.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www
    O16 - DPF: ConferenceRoom Java Client - http://chat.bigpond.com/java/cr.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
    O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
    O16 - DPF: {2B36F775-8CF5-4489-B454-2D1B80984CF2} (FXPluginCtl Object) - http://www.powerflasher.de/plugin/powerres.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info...TunesSetup.exe
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://www.shizmoo.com/activex/web665.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
    O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15010/CTPID.cab
    O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file)
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file)
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O20 - Winlogon Notify: gdimxp - gdimxp.dll (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PRTG Service - Paessler Router Traffic Grapher (PRTGService) - Paessler GmbH - C:\Program Files\PRTG Traffic Grapher\PRTG Traffic Grapher.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  6. 24-06-2006  #5
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    Keeping in mind what has happened on your PC and what may still be present, you may want to run Ewido again to see if previous error message items now cleanup OK.
+ Reply to Thread
« E.mail worm(RESOLVED) | help please...thanks »