Please help. This is what i got on HijackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:49 PM, on 3/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\password_viewer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\Hcontrol.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files\Common Files\Skyscape\SmartUpdate.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashQuick.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe,password_viewer.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program

Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program

Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM..\Run: [Hcontrol] C:\WINDOWS\ATK0100\Hcontrol.exe
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM..\Run: [Power_Gear] C:\Progra~1\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU..\Run: [Advanced SystemCare 3] “C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe”

/startup
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting]

“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [DWQueuedReporting]

“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘Default user’)
O4 - Startup: Skyscape SmartUpdate.lnk = C:\Program Files\Common Files\Skyscape\SmartUpdate.exe
O4 - Global Startup: Hotkey.lnk = C:\Program Files\Asus\ASUS Hotkey\Hotkey.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program

Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft

ActiveSync\INetRepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com.tw
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com/Java/cfs40320.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -

http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -

http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125626185031
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -

http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip..{02160E49-DFB8-4376-81C4-3DFFADA467A5}: NameServer =

202.57.125.1,202.57.125.2
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe

–
End of file - 9759 bytes

c:\windows\paswword_viewer.exe is a virus…

An analysis of your HJT log shows the following :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

The entries below were rated either questionable or BAD :

C:\WINDOWS\password_viewer.exe
BAD entry that is Worm/Cloaked Malware.
http://spywarefiles.prevx.com/RRAFDD044198751/PASSWORD_VIEWER.EXE.html

C:\Program Files\Common Files\Skyscape\SmartUpdate.exe
Questionable entry that should be OK. Related to medical reference software for Palm OS.
http://www.file.net/process/smartupdate.exe.html
http://www.threatexpert.com/files/smartupdate.exe.html

[b]http://go.microsoft.com/fwlink/?LinkId=69157[/b]
Questionable entry that should be OK. Related to Windows Malicious Software Removal Tool.
http://smallprint.netzoo.net/annotated-windows-malicious-software-removal-tool-eula/

Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
BAD entry that should be fixed - adware/spyware that delivers pop-up ads.
http://www.spyany.com/files/W6BAR_dll.html
http://www.what-is-exe.com/filenames/w6bar-dll.html

O4 - Startup: Skyscape SmartUpdate.lnk = C:\Program Files\Common Files\Skyscape\SmartUpdate.exe
Questionable entry that should be OK. Related to medical reference software for Palm OS.
http://www.file.net/process/smartupdate.exe.html
http://www.threatexpert.com/files/smartupdate.exe.html

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -
BAD entry that should be fixed but some consider this a useful nuisance.
http://www.spyandseek.com/Search.php?search_for=AF6CABAB-61F9-4f12-A198-B7D41EF1CB52&search=SAS-Search
http://www.pchell.com/support/weatherbug.shtml

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
BAD entry that should be fixed but some consider this a useful nuisance.
http://www.auditmypc.com/process/weather.asp
http://www.threatexpert.com/files/weather.exe.html

[b]O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com/Java/cfs40320.cab[/b]
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
BAD entry that should be fixed.
http://www.spyandseek.com/Search.php?search_for=15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6&search=SAS-Search

[b]http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab[/b]
BAD entry that should be fixed. Related to the above 016 entry.
http://www.spyandseek.com/Search.php?search_for=15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6&search=SAS-Search

[b]http://go.microsoft.com/fwlink/?linkid=39204[/b]
Questionable entry that should be OK. Related to Windows Malicious Software Removal Tool.
http://smallprint.netzoo.net/annotated-windows-malicious-software-removal-tool-eula/

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) -
[b]http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?[/b]
BAD entries that should be fixed but some consider this a useful nuisance.
http://www.spyandseek.com/Search.php?search_for=2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C&search=SAS-Search
http://www.threatexpert.com/report.aspx?md5=5cb0279bc8b35d99e79764293d279c85

[b]O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab[/b]
Both of the above are related to McAfee (and/or AOL av) - not completely removed.
http://www.spyandseek.com/Search.php?search_for=4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21&search=SAS-Search

O17 - HKLM\System\CCS\Services\Tcpip..{02160E49-DFB8-4376-81C4-3DFFADA467A5}: NameServer = 202.57.125.1,202.57.125.2
Do you know the IP or Domain ‘’? If not, fix this entry. Might be your ISP but please check to be sure.

Files\Viewpoint\Common\ViewpointService.exe
Usually installed with AOL. Adware that displays contextual advertisements.
http://www.spyany.com/files/viewpointservice_exe.html
http://www.backgroundtask.eu/Systeemtaken/Taakinfo.php?ID=11903
http://www.exe-error-fixes.com/disable-remove-viewpointserviceexe/

There were several other questionable entries but my reasearch showed they were valid entries and of no harm.

Thanks! I think I got it fixed

You are welcome, ChemMD. I am glad to have helped and glad that you got it fixed.

About the autorun.inf, let your USB drive plugged and run Autorun Eater or Flash Disinfector, allowing them to clean up all drives. They would create hidden folders named autorun.inf in each partition and every USB drive plugged in when you ran it. These folders protect your drives from future infection. After that, reboot your computer.

I too can confirm your Flash Disinfection link isn’t working 404, this link gives information on how to run it and there is a link on the page to a mirror site (bleepingcomputers) that does work, http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/.

Or direct, http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe link to the mirror download site.

Ok, I changed my canned text.
But, again, I could download it without problem with the link I’ve gave it. I’m using Firefox, with NoScript, and immunization from SpyBot and SpywareBlaster.

Snap same firefox, same noscript (site allowed), same spywareblaster, no spybot, no page displayed. Scythe944 can’t connect to it either.

Update: Tried IE pasting the link in directly and Orbit downloader kicked in and tried to download but the download failed.

I won’t fight for a link. I’ve already changed it.
I’ve tested and downloaded twice using the ‘old’ link anyway…

I went to transfer a file from my laptop to my desktop via my flash drive. I plugged it into my laptop and it came up with a BV:Malware-gen virus and said the file name was f:\autorun.inf. I unplugged the flash drive from my laptop and tried it in my desktop. Thing is, nothing came up. Not even the same message. I have my options on my flash drive set up to view all hidden files. But I still don’t get anything. Why would it be showing up on my laptop and not on my desktop, and what is this Malware virus anyways? Could someone please give me some insight here. I would really appreciate it.

Thanks,
C Helton

Last post in this tread 2 april 2009 …and http://forum.avast.com/index.php?topic=54389.0