No Problems that I know of. Just want to make sure. Thanks Logfile of HijackThis v1.99.1 Scan saved at 9:47:02 PM, on 2/18/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\RioMSC.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\D-Tools\daemon.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Microsoft Codename Max\max.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\RON~1.DES\LOCALS~1\Temp\Rar$EX00.031\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Internet Security Class - {A75E294E-C047-4D29-B07E-37B792881BEF} - C:\WINDOWS\SecureWin31.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [Microsoft Codename Max] "C:\Program Files\Microsoft Codename Max\max.exe" /systray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
Actually... you have quite a serious problem. O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe That is a Bot infection... one that drops a RootKit. Info on the Bot can be found here: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.CLU&VSect=T Info on the RootKit can be found here: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_ROOTKIT.E&VSect=P Your safest course of action may be to format your Hard Drive and reinstall Windows. I can clean the infections... but cannot guarantee the security of your PC afterwards as I have no way of knowing the total damage done by the Bot and RootKit. Let me know which way you want to go.
Right now, I would like to just fix it. I will reformat my HD in a few weeks when i have the time to back up everything that I need to back up. WOW....Good thing I decided to post the Hijack log. Was just a spur of the moment type thing actually. Ron
Ok then Print these instructions out as you will need to boot into Safe Mode and won't have access to them. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Download rdrivRem.zip and unzip it to your desktop. Please then reboot your computer in Safe Mode by doing the following : [*]Restart your computer [*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; [*]Instead of Windows loading as normal, the Advanced Options Menu should appear; [*]Select the first option, to run Windows in Safe Mode, then press Enter. [*]Choose your usual account. [*]Rund and scan with HijackThis. Place a check beside the following: O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe O4 - Startup: PowerReg Scheduler.exe O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/we...aploader_v6.cab [*]Close all open windows and click the Fix button. [*]Please go into the rdrivrem folder and doubleclick rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder. [*] Open the extracted SDFix folder and double click RunThis.bat to start the script. [*] Type Y to begin the cleanup process. [*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. [*] Press any Key and it will restart the PC. [*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. [*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). [*] Finally paste the contents of the Report.txt and rdriv.txt back on the forum with a new HijackThis log. Thanks.
SDFix: Version 1.66 Run by Ron - Tue 02/20/2007 @ 8:20:12.57 Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Safe Mode: Checking Services: Name: Path: Restoring Windows Registry Entries Restoring Default Hosts File Rebooting... Normal Mode: Checking Files: No Trojan Files Found... ADS Check: C:\WINDOWS\system32 No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*isabled:mIRC" "C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*isabled:TrueVector Service" "C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:EnabledC++" "C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console" "C:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe"="C:\\Program Files\\InterVideo\\WinDVD4PR\\WinDVD.exe:*isabled:WinDVD" "C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe"="C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\dfbhd.exe:*:Enabled:dfbhd" "C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\UPDATE.EXE"="C:\\Program Files\\NovaLogic\\Delta Force Black Hawk Down\\UPDATE.EXE:*:Enabled:UPDATE" "C:\\Program Files\\America's Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps" "C:\\Westwood\\RA2\\patchget.dat"="C:\\Westwood\\RA2\\patchget.dat:*:Enabledatchgrabber" "C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE"="C:\\Program Files\\Maxis\\SimCity 3000 Unlimited\\Apps\\Updater\\UPDATER.EXE:*:Enabled:SC3UpdaterMFC" "C:\\Program Files\\WS_FTP Pro\\wsftppro.exe"="C:\\Program Files\\WS_FTP Pro\\wsftppro.exe:*:Enabled:WS_FTP Pro Application" "C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe:*:Enabledreamweaver MX 2004" "C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire" "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger" "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server" "C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client" "C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe:*:Enabled:Yahoo! Music Engine" "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent" "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox" "C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus" "C:\\Program Files\\RedLightCenter\\RedlightCenter\\RedLightCenter.exe"="C:\\Program Files\\RedLightCenter\\RedlightCenter\\RedLightCenter.exe:*isabled:RedLightCenter" "C:\\Program Files\\Microsoft Codename Max\\max.exe"="C:\\Program Files\\Microsoft Codename Max\\max.exe:*:Enabled:Microsoft Codename Max" "C:\\Program Files\\Abacast\\Abaclient.exe"="C:\\Program Files\\Abacast\\Abaclient.exe:*:Enabled:Abaclient" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000" "C:\\Program Files\\Envelope Manager\\DAZzle\\DAZZLE.EXE"="C:\\Program Files\\Envelope Manager\\DAZzle\\DAZZLE.EXE:*:EnabledAZzle" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019" "C:\\Program Files\\Microsoft Codename Max\\max.exe"="C:\\Program Files\\Microsoft Codename Max\\max.exe:*:Enabled:Microsoft Codename Max" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000" Remaining Files: --------------- Checking For Files with Hidden Attributes : C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp C:\Program Files\InterActual\InterActual Player\iti10B9.tmp C:\Program Files\InterActual\InterActual Player\iti11A.tmp C:\Program Files\InterActual\InterActual Player\iti5.tmp C:\Program Files\InterActual\InterActual Player\itiE94.tmp C:\WINDOWS\SoftwareDistribution\Download\0e6ee542bb81cc5c1fbb79d198834044\BIT315.tmp C:\WINDOWS\SoftwareDistribution\Download\10f6872bbc91a277e1a9f6fed17525ba\BIT30C.tmp C:\WINDOWS\SoftwareDistribution\Download\11eded56040c785d0ff52416c366af53\BIT314.tmp C:\WINDOWS\SoftwareDistribution\Download\4c3676a8145aee7e1ea794fa1e50e6bf\BIT319.tmp C:\WINDOWS\SoftwareDistribution\Download\4ca5381cea75c98dd956a9691c8f1c12\BIT31B.tmp C:\WINDOWS\SoftwareDistribution\Download\4f4012d60daff369f73873817164328b\BIT31A.tmp C:\WINDOWS\SoftwareDistribution\Download\593bc0272fabed3da034dde959849fa9\BIT30E.tmp C:\WINDOWS\SoftwareDistribution\Download\7b54c086d9ae8ce3b29fcbc7dddec38f\BIT317.tmp C:\WINDOWS\SoftwareDistribution\Download\a0d45ac61d8a7a5b7faa78852c46bf15\BIT30F.tmp C:\WINDOWS\SoftwareDistribution\Download\a3869efa0d3e8744e961775b25e8099a\BIT30A.tmp C:\WINDOWS\SoftwareDistribution\Download\a73abc65ce0d33fa60b170a8ada4d464\BIT313.tmp C:\WINDOWS\SoftwareDistribution\Download\ab3ff7345e588ae6b96775dfd8c062ed\BIT311.tmp C:\WINDOWS\SoftwareDistribution\Download\b234e51e35f39f3a1bb774adbe7a4861\BIT30D.tmp C:\WINDOWS\SoftwareDistribution\Download\b71aca7a08a5fe27ac1f8793ff9b70cf\BIT312.tmp C:\WINDOWS\SoftwareDistribution\Download\c6ed553083a5bb50490a26156e4740cb\BIT30B.tmp C:\WINDOWS\SoftwareDistribution\Download\ca5637d04d95ed9d000d812508931a7b\BIT316.tmp C:\WINDOWS\SoftwareDistribution\Download\dbb0845a5e7327f0f30f61e848a77bc6\BIT318.tmp C:\WINDOWS\SoftwareDistribution\Download\ea93b93bbf29dfac364f53b1b4ed5d66\BIT310.tmp C:\WINDOWS\Temp\bwxdh7ts.TMP C:\WINDOWS\Temp\g0j9fmhe.TMP Add/Remove Programs List: Abacast Client Acoustica CD/DVD Label Maker Ad-Aware SE Personal Adobe Photoshop 7.0 Adobe Download Manager 1.2 (Remove Only) AnswerWorks Runtime avast! Antivirus BitTorrent 4.26.0 S800 Celestia 1.4.1 Continuum 0.39 Corel Applications DAZzle DC++ 0.689 Microsoft Windows XP Video Decoder Checkup Utility Doyles Room Poker DVD Decrypter (Remove Only) DVD Decrypter 3.2.1.0 Fr DVD Shrink 3.2 DVDFab Decrypter 3.0.5.5 DVDFab Express 2.9.7.7 DVDFab Platinum 2.70 dvdSanta 4.00 DYMO Label Software G-Zapper v1.43 Good Keywords v2.0.070305 HijackThis 1.99.1 Hollywood FX GOLD HP Image Zone 4.0 Microsoft Internationalized Domain Names Mitigation APIs Windows Internet Explorer 7 Quicken 2005 iTunes Turbo Lister 2 QuickTime InterActual Player Macromedia Shockwave Player Microsoft .NET Framework 2.0 Microsoft .NET Framework 3.0 mIRC Mozilla Firefox (2.0.0.1) Mozilla Thunderbird (1.5) MS Access 97 SP2 Microsoft Compression Client Pack 1.0 for Windows XP MSN Music Assistant Nero 6 Ultra Edition Microsoft National Language Support Downlevel APIs NVIDIA Display Driver NVIDIA Drivers PokerStars RealPlayer Shockwave Adobe Flash Player 9 ActiveX Tiger Woods 99 PGA TOUR Golf Windows Imaging Component Windows XP Service Pack 2 WinRAR archiver WinZip Westwood Shared Internet Components Ipswitch WS_FTP Pro Microsoft User-Mode Driver Framework Feature Pack 1.0 XML Paper Specification Shared Components Pack 1.0 XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME) Yahoo! Toolbar Yahoo! Browser Services Yahoo! Internet Mail Yahoo! Music Jukebox Yahoo! Toolbar Yahoo! Install Manager Zelda Classic 2.10w ZoneAlarm Macromedia Dreamweaver MX 2004 Microsoft Codename Max Adobe Premiere Pro Adobe Photoshop Album 2.0 Starter Edition HP Software Update AutoUpdate Scan HP Diagnostic Assistant Overland Windows Communication Foundation Rio Music Manager CreativeProjects ProntoEdit 4 Quicken 2005 WPF v3.0.6715.0 J2SE Runtime Environment 5.0 Update 1 J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 9 J2SE Runtime Environment 5.0 Update 11 OverDrive Media Console Copy HPSystemDiagnostics Google Earth DAEMON Tools Unload Rio Taxi Rio Internet Update GdiplusUpgrade iTunes Turbo Lister 2 Microsoft .NET Framework 2.0 DivX Converter DivX Windows Workflow Foundation HP Scanjet 4070 Microsoft .NET Framework 3.0 QFolder America's Army DivX Player hpg4070 URGE InterVideo WinDVD Recorder Microsoft Office XP Professional with FrontPage Microsoft Office Excel Viewer 2003 Microsoft Office Word Viewer 2003 Microsoft Office PowerPoint Viewer 2003 SkinsHP1 QuickProjects PrintScreen PhotoGallery Microsoft Visual C++ 2005 Redistributable Macromedia Extension Manager Baby Einstein Baby Newton Fun With Shapes Adobe Acrobat - Reader 6.0.2 Update Adobe Acrobat and Reader 6.0.3 Update Adobe Reader 6.0.1 SellerHawk DivX Converter DocProc Director CreativeProjectsTemplates InstantShare TrayApp QuickTime Microsoft .NET Framework 1.1 Adobe Encore DVD 1.0 Destinations WebReg Realtek AC'97 Audio CueTour Finished
Logfile of HijackThis v1.99.1 Scan saved at 9:59:47 AM, on 2/21/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\RioMSC.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\D-Tools\daemon.exe C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft Codename Max\max.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Envelope Manager\DAZzle\DAZZLE.EXE C:\Documents and Settings\Ron.DESKTOP\Desktop\HijackThis_v1.99.1.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yme/*http://www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized O4 - HKCU\..\Run: [Microsoft Codename Max] "C:\Program Files\Microsoft Codename Max\max.exe" /systray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVD4PR\WinScheduler.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Doyles Room Poker - {40B2063F-DB01-4962-BE63-59435C01283C} - C:\PROGRA~1\DOYLES~1\client.exe O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe RDrivRem Log 8:19:06.48 Tue 02/20/2007 ~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~ windowsupdates.exe present! ~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~
Behaving great. I am going to get a network hard drive and back everything up then do a complete clean boot with Vista I think. I really appreciate the help. Ron
OK... just a couple things if you don't get to installing Vista within the next few weeks or so. From your Add/Remove Programs list... you can uninstall the following: AutoUpdate(This is a known Malware/Adware Bundler) J2SE Runtime Environment 5.0 Update 1 J2SE Runtime Environment 5.0 Update 6 J2SE Runtime Environment 5.0 Update 9(Older versions of Java if left installed can be exploited) You can also fix these with HijackThis: R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customiz.../search/ie.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com Nothing really bad... those take you to the proper page... just by way of a click through engine... a money maker thing. I also suggest installing a Firewall if you aren't using one(don't see any evidence of one in your logs). ZoneAlarm or Comodo Firewall are a couple good free ones. Though XP has a built in Firewall... it only filters incoming traffic and not outgoing traffic.
