Win32:BHO-R

I am struggling over here!! I really need to be doing something with this trojan … WIN32:BHO-R !!
I have been researching and looking for removal of this pest, but too over whelming for this county gal! I would appreciate a walk through in smacking this pest !!

So far, what I have done … I am installed with WindowsXP. - I am upgraded to Avast 4.7. I have scanned thoroughly on scheduled boot scan in safe mode.
Daily thorough scans with Avast. - I have downloaded and scanned with a-squared Anti-Malware 2.1.
Deleting internet temp files daily (hopefully in the right locations!).

After reading some of these forums (really like your remarks DavidR), looks like I made a mistake of deleting the viruses in the Avast Chest. I am getting about 25 win32:BHO-R detections daily (with numerous unwanted pop-ups), which are beening detected in C:\Docume~1\Owner\LOCALS~1\Temp. And yes, my firewall is up and running.

I have been using Avast for a few years, it’s a wonderful tool, and have recommended this to others. But, I think we have a new bug here? … I would be grateful for quidance … Marian

Hi MareJordan,

Please run scans with the following:

AVG Anti-Spyware: (Requires Win2000/XP)

http://www.ewido.net/en/

Spybot Search & Destroy:

http://www.safer-networking.org/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Please post a HijackThis! log if none of these works:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

Good luck!

:slight_smile: Hi MareJordan :

 I recommend the FREE version of "SUPERantispyware" available from www.superantispyware.com
 instead of "Spybot" since its quality has fallen in recent months .

I have to say my trial of SuperAntiSpyware has come to and end and it is no longer on my system. It froze on two successive scans totally locking my system. I had to resort to a 5 second press of the power button to force as tidy a shut-down as possible.

I’m now trying Spyware Terminator and my first impressions aren’t impressed, it didn’t give me a warm feeling of security, I have totally disabled the resident protection to use it as on-demand only. But, delving into its settings there are many setting options that aren’t easy to understand what they might or might not do and I don’t like that one bit.

Thank you for all the leads into trying to fix my sick computer!! It is taking a very long time to download the softwares, and scanning. I will let you know of the progress later… Again, thank you!!

:slight_smile: Hi DavidR :

 What "trial" of SUPERantispyware" were you using, the "Pro" version ? Were you using the
 latest ver 3.3 or the prior ver 3.2 ?  Did you ask for help on their Support Forums at :
 http://forums.superantispyware.com ?

I had been using the free version (just for normal usage no barrage of malware samples) for about a month, can’t recall what version. I reported the problem on the uninstall questionnaire form, but I didn’t take any time to check out the forum.

Ok Everyone!! Update of my progress… :-
I took me a 3 hr nap, and got back to this experience of trying to be a real Technician!! It has been a real slow progress of downloading, as this pest [Win32:BHO-R] keeps disturbing me!! He popped up 13 times to say “Hi” to be after the second scan!! Then froze my computer up too!!

What I managed to get done:
Downloaded and scanned with the following:

  1. a-squared Anti-Malware 2.1
  2. AVG Anti-Spyware
  3. Sybot Search & Destroy [spybotsd14.exe]
  4. Ad-Aware SE Personal

Results? That pest is still popping up at me!!

Frank suggested me to post a HijackThis!.. That may be interesting, as I don’t if I am smart to figure that one out!!
Let you know if I need some brain assistance.

Later … Marian

Did you follow all the suggestions posted here?
http://forum.avast.com/index.php?topic=24699.msg205956#msg205956

I am back, still frustrated, sorry… I did take the following suggestion, and still having Avast telling me that it is still detecting virus … win32:BHO-R

Did you follow all the suggestions posted here?
http://forum.avast.com/index.php?topic=24699.msg205956#msg205956

I will try and see if I can do HijackThis. After deleting temp files, scanning with Spywares, Avast is still detecting the virus at the beginning of the bootup. It is down to about 5 detections, where is was up as much as 20 detections before! I must have a root somewhere? … Thanks for the guidance so far … Mare

Try a couple of rootkit scanners:

http://www.freewarefiles.com/downloads_counter.php?programid=22524

http://www.f-secure.com/blacklight/

The link I posted for HijackThis! has some screen shots to help you through posting a log if that fails.

Thanks Frank!!

I did download http://www.freewarefiles.com/downloads_counter.php?programid=22524, scanned it. And again, the Avast warned me with 3 detections for ''Win32:BHO-R" virus. I can not believe I am having problems getting rid of this one virus!
When I run a scan with Avast, it tells me I have no infections, so supposely, when I get noticed from Avast, I am putting them ‘Chest’ and doesnt get reconized during the scan?
The Original location they are coming from is: C:/DOCUME~1\Owner\LOCALS~1\Temp . 31 detections just for Nov 29th !

I have linked into HijackThis. I am stuck!! I did download the .exe and Icon is on my desktop.
I am now where I am told to [Start] the program.
I double clik on the Icon, pops up [Open File - Security Warning] dialog box, I clik on [Run], pops up [WinZip Self-Extractor - hijackis_sfx.exe] dialog box… Does this tell me that I don’t have a winzip software installed in my computer? ??? Guess I go searching again!!

LogfileOfHijackThis v1.99.1
Scan saved at 8:48:46 PM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Registry Cleaner\RCSystemTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Corel\Office7\Dad7\QUICK.EXE
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\HijackThis.exe

[Continue on next page.]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM..\Run: [a-squared] “C:\Program Files\a-squared Anti-Malware\a2guard.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [RCSystemTray] C:\Program Files\Registry Cleaner\RCSystemTray.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~2\soproc.exe -pack RegSoAlertWxLiteNnAj
O4 - HKCU..\Run: [DW4] “C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\ypager.exe” -quiet
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.ctctel.com/
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O17 - HKLM\System\CCS\Services\Tcpip..{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O17 - HKLM\System\CS1\Services\Tcpip..{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

I did it!! Maybe you can help me find out what is bugging me now? I just rebooted, and Avast just warned me with 8 virus detections… all being win32:BHO-R

Well done!

You seem to be running HijackThis! from a temporary folder:

Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!

You need to extract HijackThis! to its own folder.

First go to Control Panel>Add/Remove and uninstall the following programs if found:

UCSearch, SoftwareOnline, MyWebSearch.

EDIT: Disable AVG Anti-Spyware’s monitoring if it is running, so that it does not interfere with HijackThis!:
Right-click the system tray icon and uncheck real time protection.

When you’ve done that, run HijackThis! again and tick the following entries (if they are still there), click on ‘fix’ and reboot:

O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB

UCSearch:

http://www.castlecops.com/atxlist-1362.html

O4 - HKCU..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~2\soproc.exe -pack RegSoAlertWxLiteNnAj

SoftwareOnline:

http://www.liutilities.com/products/wintaskspro/processlibrary/soproc/

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU

MyWebSearch

http://www.pchell.com/support/mywebsearch.shtml

O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

(Redundant entries)

I also need you to check one file. Can you please submit this file:

C:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe

to VirusTotal and report if any of the scanners identify it as malware?

http://www.virustotal.com/en/indexf.html

EDIT: I think this may be the CAM UnZip program running from a temporary file. If so you need to install it into its own folder, See Steps to Downloading another choice ZIP Utility Program File here:

http://vcclearns.vcc.ca/html/downloadsftw.html

Good luck!

EDIT:

I also recommend you run the Microsoft MS Java removal tool:

http://www.majorgeeks.com/download4158.html

And then install Sun Java:

http://www.java.com/en/download/index.jsp

Wow!! More homework!! But I do thank you Frank, and look at the new knowledge that is being instilled into me!!

Not understanding your Statement of HijackTHis has its own folder… I do have a HijackThis folder on my desk top, I assume that I can just use it when ready for another scan?

According to your log, it’s running from a temp folder:

C:\DOCUME~1\Owner\LOCALS~1\Temp\HijackThis.exe

Sorry for the lengthy time, the computer is pretty slow now. Everytime I reboot, I have to wait for Avast to get done with detecting them win32:BHO-R virus, which avg about 8 detections.


Assignments I managed to get done:
UCSearch, SoftwareOnline, MyWebSearch were no locationed in the Add/Remove Listing. I did find and deleted the first two with using Search, locating them in the files. I could not find MyWebSearch, I had Hijack Fix it.


Need you to check one file. Can you please submit this file:
C:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe
to VirusTotal and report if any of the scanners identify it as malware?

From: scan@virustotal.com
Date: 11/30/06 09:12:45
To: rdj@pop.ctctel.com
Subject: [VirusTotal] Server notification

Complete scanning result of “cuz.exe”, processed in VirusTotal at 11/30/2006 17:31:37 (CET).

[ file data ]

  • name: cuz.exe
  • size: 1310720
  • md5.: 70fa86d2064a7ccfa53b6a647f9b643f
  • sha1: da5c19747a0e17432973c0ba073f4e1c63c0059d

[ scan result ]
AntiVir 7.2.0.46/20061130 found nothing
Authentium 4.93.8/20061130 found nothing
Avast 4.7.892.0/20061130 found nothing
AVG 386/20061130 found nothing
BitDefender 7.2/20061130 found nothing
CAT-QuickHeal 8.00/20061130 found nothing
ClamAV devel-20060426/20061130 found nothing
DrWeb 4.33/20061130 found nothing
eSafe 7.0.14.0/20061130 found nothing
eTrust-InoculateIT 23.73.72/20061129 found nothing
eTrust-Vet 30.3.3223/20061130 found nothing
Ewido 4.0/20061130 found nothing
F-Prot 3.16f/20061130 found nothing
F-Prot4 4.2.1.29/20061130 found nothing
Fortinet 2.82.0.0/20061130 found nothing
Ikarus 0.2.65.0/20061130 found nothing
Kaspersky 4.0.2.24/20061130 found nothing
McAfee 4907/20061129 found nothing
Microsoft 1.1804/20061130 found nothing
NOD32v2 1892/20061130 found nothing
Norman 5.80.02/20061130 found nothing
Panda 9.0.0.4/20061129 found nothing
Prevx1 V2/20061130 found nothing
Sophos 4.11.0/20061116 found nothing
TheHacker 6.0.3.126/20061129 found nothing
UNA 1.83/20061129 found nothing
VBA32 3.11.1/20061130 found nothing
VirusBuster 4.3.15:9/20061130 found nothing


I did: Run the Microsoft MS Java removal tool.


And then install Sun Java: I was not able to download this program, it was taking way too long. I will try later…

The Hijack Scanning:

Logfile of HijackThis v1.99.1
Scan saved at 1:32:20 PM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Registry Cleaner\RCSystemTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Corel\Office7\Dad7\QUICK.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM..\Run: [a-squared] “C:\Program Files\a-squared Anti-Malware\a2guard.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [RCSystemTray] C:\Program Files\Registry Cleaner\RCSystemTray.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~2\soproc.exe -pack RegSoAlertWxLiteNnAj
O4 - HKCU..\Run: [DW4] “C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe”
O4 - HKCU..\Run: [Yahoo! Pager] “C:\Program Files\Yahoo!\Messenger\ypager.exe” -quiet
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.ctctel.com/
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O17 - HKLM\System\CCS\Services\Tcpip..{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O17 - HKLM\System\CS1\Services\Tcpip..{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe