about:blank

Viruses and worms
1

My default page in IE keeps getting changed to about:blank and I get a message in that page that I am infected with a virus. Have run Ewido, SmitRem, Full Avast Scan, CWShredder.exe, AdAware, Spybot. UGHH!!! Please Help!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:19:37 PM, on 4/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Geoff\Desktop\spy-remove\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wbap.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp9DF5.tmp (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [mmtask] “C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe”
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144717459421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144717452031
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

2

PS: Here is my Task Manager:

System Information report written at: 04/30/06 15:34:40

System Name: PTOOLS2006

[Running Tasks]

Name Path Process ID Priority Min Working Set Max Working Set Start Time Version Size File Date

system idle process Not Available 0 0 Not Available Not Available Not Available Not Available Not Available Not Available

system Not Available 4 8 0 1413120 Not Available Not Available Not Available Not Available

smss.exe c:\windows\system32\smss.exe 540 11 204800 1413120 4/30/2006 3:20 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 49.50 KB (50,688 bytes) 8/10/2004 12:51 PM

csrss.exe Not Available 596 13 Not Available Not Available 4/30/2006 3:20 PM Not Available Not Available Not Available

winlogon.exe c:\windows\system32\winlogon.exe 620 13 204800 1413120 4/30/2006 3:20 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 490.50 KB (502,272 bytes) 8/10/2004 12:51 PM

services.exe c:\windows\system32\services.exe 664 9 204800 1413120 4/30/2006 3:20 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 105.50 KB (108,032 bytes) 8/10/2004 12:51 PM

lsass.exe c:\windows\system32\lsass.exe 676 9 204800 1413120 4/30/2006 3:20 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 13.00 KB (13,312 bytes) 8/10/2004 12:51 PM

svchost.exe c:\windows\system32\svchost.exe 828 8 204800 1413120 4/30/2006 3:20 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 14.00 KB (14,336 bytes) 8/10/2004 12:51 PM

svchost.exe Not Available 908 8 Not Available Not Available 4/30/2006 3:20 PM Not Available Not Available Not Available

svchost.exe c:\windows\system32\svchost.exe 1000 8 204800 1413120 4/30/2006 3:20 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 14.00 KB (14,336 bytes) 8/10/2004 12:51 PM

svchost.exe Not Available 1060 8 Not Available Not Available 4/30/2006 3:20 PM Not Available Not Available Not Available

svchost.exe Not Available 1244 8 Not Available Not Available 4/30/2006 3:20 PM Not Available Not Available Not Available

spoolsv.exe c:\windows\system32\spoolsv.exe 1412 8 204800 1413120 4/30/2006 3:20 PM 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519) 56.50 KB (57,856 bytes) 8/10/2004 12:51 PM

aswupdsv.exe c:\program files\alwil software\avast4\aswupdsv.exe 1548 8 204800 1413120 4/30/2006 3:20 PM Not Available 52.00 KB (53,248 bytes) 4/10/2006 11:45 PM

ashserv.exe c:\program files\alwil software\avast4\ashserv.exe 1580 13 204800 1413120 4/30/2006 3:20 PM 4, 7, 824, 0 100.05 KB (102,448 bytes) 4/10/2006 11:45 PM

mmerefresh.exe c:\program files\digidesign\drivers\mmerefresh.exe 1760 8 204800 1413120 4/30/2006 3:20 PM 6.4.0.138 44.00 KB (45,056 bytes) 4/10/2006 8:31 PM

wdfmgr.exe Not Available 1820 8 Not Available Not Available 4/30/2006 3:20 PM Not Available Not Available Not Available

explorer.exe c:\windows\explorer.exe 344 8 204800 1413120 4/30/2006 3:20 PM 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) 1,008.00 KB (1,032,192 bytes) 8/10/2004 12:51 PM

ashmaisv.exe c:\program files\alwil software\avast4\ashmaisv.exe 1220 8 204800 1413120 4/30/2006 3:20 PM 4, 7, 824, 0 240.05 KB (245,808 bytes) 4/10/2006 11:45 PM

wscntfy.exe c:\windows\system32\wscntfy.exe 1116 8 204800 1413120 4/30/2006 3:20 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 13.50 KB (13,824 bytes) 8/10/2004 12:51 PM

ashwebsv.exe c:\program files\alwil software\avast4\ashwebsv.exe 1368 8 204800 1413120 4/30/2006 3:20 PM 4, 7, 800, 0 356.05 KB (364,592 bytes) 4/10/2006 11:45 PM

alg.exe Not Available 1460 8 Not Available Not Available 4/30/2006 3:20 PM Not Available Not Available Not Available

dcomcfg.exe c:\windows\system32\dcomcfg.exe 156 8 204800 1413120 4/30/2006 3:21 PM Not Available 16.05 KB (16,440 bytes) 4/29/2006 12:55 PM

jusched.exe c:\program files\java\j2re1.4.2_03\bin\jusched.exe 508 8 204800 1413120 4/30/2006 3:21 PM Not Available 32.11 KB (32,881 bytes) 11/19/2003 4:48 PM

dvdlauncher.exe c:\program files\cyberlink\powerdvd\dvdlauncher.exe 272 8 204800 1413120 4/30/2006 3:21 PM 3.00.0000 52.00 KB (53,248 bytes) 4/3/2006 10:02 PM

ashdisp.exe c:\progra~1\alwils~1\avast4\ashdisp.exe 480 8 204800 1413120 4/30/2006 3:21 PM 4, 7, 817, 0 100.05 KB (102,448 bytes) 4/10/2006 11:45 PM

mmtask.exe c:\program files\musicmatch\musicmatch jukebox\mmtask.exe 252 8 204800 1413120 4/30/2006 3:21 PM 9.0.0.1 52.00 KB (53,248 bytes) 4/27/2006 3:12 AM

mssysmgr.exe c:\progra~1\nero\data\xtras\mssysmgr.exe 1976 8 204800 1413120 4/30/2006 3:21 PM 1.0.1.0 208.00 KB (212,992 bytes) 11/11/2004 7:50 PM

svchost.exe c:\windows\system32\svchost.exe 2120 8 204800 1413120 4/30/2006 3:21 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 14.00 KB (14,336 bytes) 8/10/2004 12:51 PM

svchost.exe c:\windows\system32\svchost.exe 2228 8 204800 1413120 4/30/2006 3:21 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 14.00 KB (14,336 bytes) 8/10/2004 12:51 PM

iexplore.exe c:\program files\internet explorer\iexplore.exe 3056 8 204800 1413120 4/30/2006 3:30 PM 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) 91.00 KB (93,184 bytes) 8/10/2004 1:02 PM

helpctr.exe c:\windows\pchealth\helpctr\binaries\helpctr.exe 3228 8 204800 1413120 4/30/2006 3:30 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 750.50 KB (768,512 bytes) 8/10/2004 1:02 PM

helpsvc.exe c:\windows\pchealth\helpctr\binaries\helpsvc.exe 3336 8 204800 1413120 4/30/2006 3:30 PM 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) 726.50 KB (743,936 bytes) 8/10/2004 1:02 PM

wmiprvse.exe Not Available 3736 8 Not Available Not Available 4/30/2006 3:34 PM Not Available Not Available Not Available

3

And My Services

System Information report written at: 04/30/06 15:36:41
System Name: PTOOLS2006
[Services]

Display Name Name State Start Mode Service Type Path
Adobe LM Service Adobe LM Service Stopped Manual Own Process c:\program files\common files\adobe systems shared\service\adobelmsvc.exe
Alerter Alerter Stopped Disabled Share Process c:\windows\system32\svchost.exe -k localservice
Application Layer Gateway Service ALG Running Manual Own Process c:\windows\system32\alg.exe
Application Management AppMgmt Stopped Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
ASP.NET State Service aspnet_state Stopped Manual Own Process c:\windows\microsoft.net\framework\v1.1.4322\aspnet_state.exe
avast! iAVS4 Control Service aswUpdSv Running Auto Own Process c:\program files\alwil software\avast4\aswupdsv.exe
Windows Audio AudioSrv Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
avast! Antivirus avast! Antivirus Running Auto Own Process c:\program files\alwil software\avast4\ashserv.exe
avast! Mail Scanner avast! Mail Scanner Running Manual Own Process c:\program files\alwil software\avast4\ashmaisv.exe /service
avast! Web Scanner avast! Web Scanner Running Manual Own Process c:\program files\alwil software\avast4\ashwebsv.exe /service
Background Intelligent Transfer Service BITS Stopped Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
Computer Browser Browser Running Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
Indexing Service CiSvc Stopped Manual Share Process c:\windows\system32\cisvc.exe
ClipBook ClipSrv Stopped Disabled Own Process c:\windows\system32\clipsrv.exe
COM+ System Application COMSysApp Stopped Manual Own Process c:\windows\system32\dllhost.exe /processid:{02d4b3f1-fd88-11d1-960d-00805fc79235}
Cryptographic Services CryptSvc Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
DCOM Server Process Launcher DcomLaunch Running Auto Share Process c:\windows\system32\svchost -k dcomlaunch
DHCP Client Dhcp Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Digidesign MME Refresh Service DigiRefresh Running Auto Share Process c:\program files\digidesign\drivers\mmerefresh.exe -s
Logical Disk Manager Administrative Service dmadmin Stopped Manual Share Process c:\windows\system32\dmadmin.exe /com
Logical Disk Manager dmserver Stopped Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
DNS Client Dnscache Running Auto Share Process c:\windows\system32\svchost.exe -k networkservice
Error Reporting Service ERSvc Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Event Log Eventlog Running Auto Share Process c:\windows\system32\services.exe
COM+ Event System EventSystem Running Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
ewido security suite control ewido security suite control Stopped Disabled Own Process c:\program files\ewido anti-malware\ewidoctrl.exe
Fast User Switching Compatibility FastUserSwitchingCompatibility Running Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
Fax Fax Stopped Auto Own Process c:\windows\system32\fxssvc.exe
Help and Support helpsvc Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Human Interface Device Access HidServ Stopped Disabled Share Process c:\windows\system32\svchost.exe -k netsvcs
HTTP SSL HTTPFilter Running Manual Share Process c:\windows\system32\svchost.exe -k httpfilter
IMAPI CD-Burning COM Service ImapiService Stopped Manual Own Process c:\windows\system32\imapi.exe
Server lanmanserver Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Workstation lanmanworkstation Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
TCP/IP NetBIOS Helper LmHosts Running Auto Share Process c:\windows\system32\svchost.exe -k localservice
Macromedia Licensing Service Macromedia Licensing Service Stopped Disabled Own Process c:\program files\common files\macromedia shared\service\macromedia licensing.exe
Messenger Messenger Stopped Disabled Share Process c:\windows\system32\svchost.exe -k netsvcs
NetMeeting Remote Desktop Sharing mnmsrvc Stopped Manual Own Process c:\windows\system32\mnmsrvc.exe
Distributed Transaction Coordinator MSDTC Stopped Manual Own Process c:\windows\system32\msdtc.exe
Windows Installer MSIServer Stopped Manual Share Process c:\windows\system32\msiexec.exe /v
Network DDE NetDDE Stopped Disabled Share Process c:\windows\system32\netdde.exe
Network DDE DSDM NetDDEdsdm Stopped Disabled Share Process c:\windows\system32\netdde.exe
Net Logon Netlogon Stopped Manual Share Process c:\windows\system32\lsass.exe
Network Connections Netman Running Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
Intel NCS NetService NetSvc Stopped Manual Own Process c:\program files\intel\ncs\sync\netsvc.exe
Network Location Awareness (NLA) Nla Running Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
Pure Networks Net2Go Service nmraapache Stopped Disabled Own Process c:\program files\pure networks\network magic\webserver\bin\nmraapache.exe -k runservice
Pure Networks Network Magic Service nmservice Stopped Disabled Own Process c:\program files\pure networks\network magic\nmsrvc.exe
NT LM Security Support Provider NtLmSsp Stopped Manual Share Process c:\windows\system32\lsass.exe
Removable Storage NtmsSvc Stopped Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
Office Source Engine ose Stopped Manual Own Process c:\program files\common files\microsoft shared\source engine\ose.exe
Plug and Play PlugPlay Running Auto Share Process c:\windows\system32\services.exe
IPSEC Services PolicyAgent Running Auto Share Process c:\windows\system32\lsass.exe
Protected Storage ProtectedStorage Running Auto Share Process c:\windows\system32\lsass.exe
Remote Access Auto Connection Manager RasAuto Stopped Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
Remote Access Connection Manager RasMan Running Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
Remote Desktop Help Session Manager RDSessMgr Stopped Manual Own Process c:\windows\system32\sessmgr.exe
Routing and Remote Access RemoteAccess Stopped Disabled Share Process c:\windows\system32\svchost.exe -k netsvcs
Remote Procedure Call (RPC) Locator RpcLocator Stopped Manual Own Process c:\windows\system32\locator.exe
Remote Procedure Call (RPC) RpcSs Running Auto Share Process c:\windows\system32\svchost -k rpcss
QoS RSVP RSVP Stopped Manual Own Process c:\windows\system32\rsvp.exe
Security Accounts Manager SamSs Running Auto Share Process c:\windows\system32\lsass.exe
Smart Card SCardSvr Stopped Manual Share Process c:\windows\system32\scardsvr.exe
Task Scheduler Schedule Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Secondary Logon seclogon Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
System Event Notification SENS Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Windows Firewall/Internet Connection Sharing (ICS) SharedAccess Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Shell Hardware Detection ShellHWDetection Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Print Spooler Spooler Running Auto Own Process c:\windows\system32\spoolsv.exe
System Restore Service srservice Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
SSDP Discovery Service SSDPSRV Running Manual Share Process c:\windows\system32\svchost.exe -k localservice
Windows Image Acquisition (WIA) stisvc Running Manual Share Process c:\windows\system32\svchost.exe -k imgsvc
MS Software Shadow Copy Provider SwPrv Stopped Manual Own Process c:\windows\system32\dllhost.exe /processid:{a445bd1e-49ee-4607-b370-5cca447377c4}
Performance Logs and Alerts SysmonLog Stopped Manual Own Process c:\windows\system32\smlogsvc.exe
Telephony TapiSrv Running Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
Terminal Services TermService Running Manual Share Process c:\windows\system32\svchost -k dcomlaunch
Themes Themes Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Distributed Link Tracking Client TrkWks Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Windows User Mode Driver Framework UMWdf Running Auto Own Process c:\windows\system32\wdfmgr.exe
Universal Plug and Play Device Host upnphost Stopped Manual Share Process c:\windows\system32\svchost.exe -k localservice
Uninterruptible Power Supply UPS Stopped Manual Own Process c:\windows\system32\ups.exe
Volume Shadow Copy VSS Stopped Manual Own Process c:\windows\system32\vssvc.exe
WebClient WebClient Running Auto Share Process c:\windows\system32\svchost.exe -k localservice
Windows Management Instrumentation winmgmt Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Portable Media Serial Number Service WmdmPmSN Stopped Manual Share Process c:\windows\system32\svchost.exe -k netsvcs
WMI Performance Adapter WmiApSrv Stopped Manual Own Process c:\windows\system32\wbem\wmiapsrv.exe
Security Center wscsvc Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Automatic Updates wuauserv Stopped Disabled Share Process c:\windows\system32\svchost.exe -k netsvcs
Wireless Zero Configuration WZCSVC Running Auto Share Process c:\windows\system32\svchost.exe -k netsvcs
Network Provisioning Service xmlprov Stopped Manual Share Process c:\windows\system32\svchost.exe -k netsvcs

4

Hi geoffap,

No active firewall was found on your system or the firewall you use is unknown to us. If you don´t use a firewall you should download and install one or activate windows xp´s own one.

Your version of Java is also seriously out of date: you should remove the old version from Add/Remove preograms and download the latest version from here:

http://www.java.com/en/download/index.jsp

I would recommend you update all the programs you mention, download a good Firewall like Kerio or Zone Alarm, download the latest version of Java, go off-line, uninstall Java, run scans with all your programs in safe mode (tap F8 while re-booting) then install the latest verion of Java and your chosen firewall.

Good luck!

5

I did download and update all of the programs before running…

I will update Java.

6

The important thing is to scan then install the firewall on a clean system. The outdated Java may also be exposing you to spyware.

7

Also check this out, About:Blank Homepage Hijacker Removal Instructions and Help

8

These entries can be fixed by HijackThis! (The malware files themselves seem to have been deleted by other programs you ran.)

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp9DF5.tmp (file missing)

O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)

9

Hi geoffap,

That I would say as well that at the root of your trouble is this,
clear it definitely with HJT:

polonus

10

Why do you say that Polonus? Castlecops has it as legitimate.

http://castlecops.com/o18list-90.html

11

Hi FwF,

I have checked that up also and corrected it, haven’t you seen that? I Cooperation as usual!

polonus

12

Very odd… None of the above helped… I did find a program called “SmitfraudFix” that finally did the trick…

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Either way… thanks for the help… I’m guessing a combination of ALL helped.

Logfile of HijackThis v1.99.1
Scan saved at 2:11:52 AM, on 5/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Geoff\Desktop\spy-remove\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wbap.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [mmtask] “C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144717459421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144717452031
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

13

Glad to hear you found a solution!

You can have HijackThis fix this entry:

O20 - Winlogon Notify: winxtx32 - winxtx32.dll (file missing)

I am still seeing the warning about no firewall.

A good third-party software firewall is essential even behind a router because it will alert you if malware infects your system and tries to connect out to the internet. If you are not behind a router or a hardware firewall of course, you are wide open to attack without a firewall!

14

OK… I ran HJT again and fixed tha tone… I also activated the Windows Firewall… I am also going to DL Zone Alarm tomorrow… Thanks again!

Logfile of HijackThis v1.99.1
Scan saved at 3:07:31 AM, on 5/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Corel\Graphics10\Programs\photopnt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Geoff\Desktop\spy-remove\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wbap.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [mmtask] “C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144717459421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144717452031
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

15

:slight_smile: Hi Geoffap :

Even though you said you ran Ad-Aware, there is no
indication that it is ON your computer, according to your
HijackThis scan(s) that hopefully were NOT run in "Safe
Mode". It is best downloaded from :
www.majorgeeks.com/download506.html .

Regarding the "SmitfraudFix" ; it is the latest "tool" used by
Experts on antispyware forums & they usually ask that its
scan results be posted, so they may be reviewed for how
well it "performed" !?
16

SmitFraudFix v2.37 Log:

SmitFraudFix v2.37

Scan done at 2:00:22.79, Mon 05/01/2006
Run from C:\Documents and Settings\Geoff\Desktop\spy-remove\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End

17

HiJackThis in Regular Mode

Logfile of HijackThis v1.99.1
Scan saved at 11:32:18 PM, on 5/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MM_TDM~1.EXE
C:\Program Files\coolpro2\coolpro2.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Geoff\Desktop\spy-remove\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wbap.com/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (file missing)
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [mmtask] “C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144717459421
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1144717452031
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

18

:slight_smile: Hi Geoffap :

  I am NOT a HijackThis Expert; however, according to the
  info @ http://www.bleepingcomputer.com/startups/IEXPLORE.EXE-2256.html , "C:\Program Files\Internet Explorer\IEXPLORE.EXE"

appears to be undesirable on your computer. I defer to those
more knowledgeable in this area. It does point out WHY
HijackThis logs should ALWAYS be posted having run the Scan
in “Regular Mode” .

P.S. have you updated your Adobe Acrobat to the latest
7.0.7 ?

19

Hi Spiritsongs,

Not much wrong with that, only one could consider another alternate browser though. Look here for info on iexplorer.exe:
http://www.liutilities.com/products/wintaskspro/processlibrary/iexplore/
You are right there, only when iexplorer is in the startup folder.
Geoffap could run StartupList to make sure. You can download StartupList 2.01 from here: http://castlecops.com/zx/Merijn/startuplist.zip

Cannot find much in particular here that is undesirable.

polonus