This is flagged in Eddy’s analysis tool

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK WE STRONGLY RECOMMEND TO FIX THEM : -------------------------------------------------------------------------------- o4 - hklm\..\run: [systemtray] systray.exe

This may be a throw back to win98 update to XP possibly but you don’t need it. I remember I had it and thought it was required, Eddy assured me it wasn’t (in XP), I fixed it in HTJ and no problems.

Looks like you could be getting there, just the firewall and windows update.

Here it goes again:

Logfile of HijackThis v1.99.1
Scan saved at 8:26:22 PM, on 2/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip..{86049A1E-CEFD-4C0A-9BF9-ED975FE4C224}: NameServer = 198.164.30.2 198.164.4.2
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Hi,

There is a new one now since your lost log: :

O17 - HKLM\System\CCS\Services\Tcpip..{86049A1E-CEFD-4C0A-9BF9-ED975FE4C224}: NameServer = 198.164.30.2 198.164.4.2

Other then that, its clean.

BTW, what sites are you visiting to get these infections?

-lee

Lee
Thats strange because I usually run HJT offline and go online directly to this site and paste my log. I do not visit anything in between. Anyway here is my most recent log:

Logfile of HijackThis v1.99.1
Scan saved at 1:22:43 PM, on 2/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKCU..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Hi again Tappy ,

Your hijackthis log is clean

–lee

Thanks again guys!! You have not only helped me but taught me a lot in the process. Firewall and SP2 done!!

my computer is infected with Win32 Trojan-gen and I can not remove it. I just downloaded Hijackthis. how do i save and send a log to be evaluated?

Run it, give a name to the log generated, save it and open into Notepad.
Copy all the contents and post (paste) here…

You can follow the instructions of ‘Cleaning’ in my signature or Eddy’s site (http://members.home.nl/edeijl/acred/cleaning.htm)

I have downloaded hijack this but it wont let me make a log because my adobe acrobat wont read a file that doesnt start with %pdf. Im not sure what to do. Ive tried renaming the file. Still gives me the same response. ???

Pentium 4 1.4 gig
Windows Me
Mozilla Thunderbird
Mozilla Firefox
Sygate Firewall
Avast 4.6 free home edition

This has nothing to do with this thread, please start a new one.

HijackThis has nothing to do with Adobe.
HJT creates its own log file in txt format.

I have downloaded hijack this but it wont let me make a log because my adobe acrobat wont read a file that doesn't start with %pdf.

You can open the hijackthis.log with notepad or any text editor. However when you save the scan to your HDD, hijackthis automatically opens the .log file, usually with notepad.

Is it possible that you have accidently set .log files to be opened by acrobat reader?

Whew! Finally got it saved in wordpad. Heres a list of my problems. Im not really computer savvy as you can tell. Here’s my system specs.

1.4 Pentium 4
Windows Me
Mozilla Firefox
Mozilla Thunderbird mail
Avast 4.6 home ed.
Logfile of HijackThis v1.99.1
Scan saved at 7:27:51 PM, on 3/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\OTAQGT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\CALC.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seekerbar.com/ie.aspx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: sPeerObj Class - {00000026-8735-428D-B81F-DD098223B25F} - C:\WINDOWS\SPEER.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL (file missing)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P22 “EPSON Stylus Photo 825” /O7 “EPUSB1:” /M “Stylus Photo 825”
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM..\Run: [otaqgt] c:\windows\system\otaqgt.exe
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU..\Run: [Microsoft Works Update Detection] I\WkDetect.exe
O4 - HKCU..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /A “C:\WINDOWS\SYSTEM\E_S21E4.TMP”
O4 - HKCU..\RunServices: [Microsoft Works Update Detection] I\WkDetect.exe
O4 - HKCU..\RunServices: [EPSON Stylus Photo 825] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /A “C:\WINDOWS\SYSTEM\E_S21E4.TMP”
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\PROGRAM FILES\VISUALROUTE\vrie.dll
O9 - Extra ‘Tools’ menuitem: VisualRoute Trace - {04849C74-016E-4a43-8AA5-1F01DE57F4A1} - C:\PROGRAM FILES\VISUALROUTE\vrie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A37F5BC24EE2} (MozillaPluginHostCtrl Class) - http://www.musicnotes.com/download/adaptor.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/093a44fafae236f7d522/netzip/RdxIE601.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/3110/ftp.coupons.com/r31/brix6ie.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {D30CA0FD-1CA0-11D4-AC78-006008A9A8BC} (WebBasedClientInstall Class) - http://duplinschools.net/webinst.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using the latest version of HijackThis.
You are using the latest version of Internet Explorer.
Software firewall detected.

THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

\program files\common files\wintools\wtoolsa.exe
\program files\common files\wintools\wsup.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://www.seekerbar.com/ie.aspx?tb_id=50154
r1 - hklm\software\microsoft\internet explorer\main,searchassistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
r0 - hklm\software\microsoft\internet explorer\search,customizesearch =
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername =
r3 - urlsearchhook: (no name) - {87766247-311c-43b4-8499-3d5fec94a183} - c:\progra~1\common~1\wintools\wtoolsb.dll
o2 - bho: speerobj class - {00000026-8735-428d-b81f-dd098223b25f} - c:\windows\speer.dll
o2 - bho: pctools site guard - {5c8b2a36-3db1-42a4-a3cb-d426709bbfeb} - c:\progra~1\spywar~1\tools\iesdsg.dll (file missing)
o2 - bho: mybar bho - {0494d0d1-f8e0-41ad-92a3-14154ece70ac} - c:\program files\myway\mybar\1.bin\mybar.dll
o2 - bho: (no name) - {87766247-311c-43b4-8499-3d5fec94a183} - c:\progra~1\common~1\wintools\wtoolsb.dll
o3 - toolbar: my &search bar - {0494d0d9-f8e0-41ad-92a3-14154ece70ac} - c:\program files\myway\mybar\1.bin\mybar.dll
o4 - hklm..\run: [wintools] c:\progra~1\common~1\wintools\wtoolsa.exe
o4 - hklm..\runservices: [wintools] c:\progra~1\common~1\wintools\wtoolsa.exe
o4 - hklm..\runservicesonce: [wintools] c:\progra~1\common~1\wintools\wtoolsa.exe /boot
o9 - extra button: (no name) - {cd67f990-d8e9-11d2-98fe-00c0f0318afe} - (no file)
o16 - dpf: {e09f6b38-3a0d-11d3-b5e7-0008c7bf61f2} (detectmn) - http://www.musicnotes.com/download/npmusicn.cab
o16 - dpf: {dbb2de32-61f1-4f7f-beb8-a37f5bc24ee2} (mozillapluginhostctrl class) - http://www.musicnotes.com/download/adaptor.cab
o16 - dpf: {df6a0f17-0b1e-11d4-829d-00c04f6843fe} (microsoft office tools on the web control) - http://dgl.microsoft.com/downloads/outc.cab
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} (rdxie class) - http://207.188.7.150/093a44fafae236f7d522/netzip/rdxie601.cab
o16 - dpf: {1954a4b1-9627-4cf2-a041-58aa2045cb35} (brix6ie control) - http://a19.g.akamai.net/7/19/7125/3110/ftp.coupons.com/r31/brix6ie.cab
o16 - dpf: {90c9629e-cd32-11d3-bbfb-00105a1f0d68} (installshield international setup player) - http://www.installengine.com/engine/isetup.cab
o16 - dpf: {d30ca0fd-1ca0-11d4-ac78-006008a9a8bc} (webbasedclientinstall class) - http://duplinschools.net/webinst.cab
o16 - dpf: {9600f64d-755f-11d4-a47f-0001023e6d5a} (shutterfly picture upload plugin) - http://web1.shutterfly.com/downloads/uploader.cab
o16 - dpf: {41f17733-b041-4099-a042-b518bb6a408c} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/quicktimeinstaller.exe
o16 - dpf: {4c39376e-fa9d-4349-bacc-d305c1750ef3} (epuimagecontrol class) - http://tools.ebayimg.com/eps/wl/activex/epuwalcontrol_v1-0-3-9.cab
o16 - dpf: {205ff73b-ca67-11d5-99dd-444553540000} (cinstall class) - http://www.spywarestormer.com/files2/install.cab
o16 - dpf: {fa3662c3-b8e8-11d6-a667-0010b556d978} (iwinampactivex class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hkcu..\run: [microsoft works update detection] i\wkdetect.exe
o4 - hkcu..\run: [epson stylus photo 825] c:\windows\system\e_s10ic2.exe /a “c:\windows\system\e_s21e4.tmp”
o4 - hkcu..\runservices: [microsoft works update detection] i\wkdetect.exe
o4 - startup: exif launcher.lnk = c:\program files\finepixviewer\quickdcf.exe
o4 - startup: office startup.lnk = c:\program files\microsoft office\office\osa.exe

WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :

\windows\system\otaqgt.exe
o4 - hklm..\run: [otaqgt] c:\windows\system\otaqgt.exe

Thanks for your help!! I still have a stupid question to ask. If I remove all of those files with hijackthis, Do I need to have a back up disk to replace the windows files that are infected?

No, because all the files my HJT log analyzer tells you to fix are NOT part of windows.

Ive attempted to remove the files you listed with hijackthis and the worm is still on there. I have disabled system restore should I try hijack this again in safe mode. Here is the scan log after I used hijackthis. Sorry for being such a newb. :-\

Logfile of HijackThis v1.99.1
Scan saved at 9:30:45 PM, on 3/5/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\OTAQGT.EXE
C:\WINDOWS\PACKAGER.EXE
C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.seekerbar.com/ie.aspx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P22 “EPSON Stylus Photo 825” /O7 “EPUSB1:” /M “Stylus Photo 825”
O4 - HKLM..\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM..\Run: [otaqgt] c:\windows\system\otaqgt.exe
O4 - HKLM..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU..\Run: [Microsoft Works Update Detection] I\WkDetect.exe
O4 - HKCU..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /A “C:\WINDOWS\SYSTEM\E_S21E4.TMP”
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: EPSON CardMonitor.lnk = C:\Program Files\epson\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll

Remove Wintools, that is the major part of the culprit.

THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

\program files\common files\wintools\wtoolsa.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://www.seekerbar.com/ie.aspx?tb_id=50154
r1 - hklm\software\microsoft\internet explorer\main,searchassistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
r0 - hklm\software\microsoft\internet explorer\search,customizesearch =
r3 - urlsearchhook: (no name) - {87766247-311c-43b4-8499-3d5fec94a183} - c:\progra~1\common~1\wintools\wtoolsb.dll
o2 - bho: (no name) - {87766247-311c-43b4-8499-3d5fec94a183} - c:\progra~1\common~1\wintools\wtoolsb.dll
o4 - hklm..\run: [wintools] c:\progra~1\common~1\wintools\wtoolsa.exe
o4 - hklm..\runservices: [wintools] c:\progra~1\common~1\wintools\wtoolsa.exe
o4 - hklm..\runservicesonce: [wintools] c:\progra~1\common~1\wintools\wtoolsa.exe /boot

HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

Nothing found.

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hkcu..\run: [microsoft works update detection] i\wkdetect.exe
o4 - hkcu..\run: [epson stylus photo 825] c:\windows\system\e_s10ic2.exe /a “c:\windows\system\e_s21e4.tmp”
o4 - startup: exif launcher.lnk = c:\program files\finepixviewer\quickdcf.exe
o4 - startup: office startup.lnk = c:\program files\microsoft office\office\osa.exe

Hello, I am new to this forum… I been having a problem since last night and I see u guys are talking about the problem here… So I was hoping I can get help here, I have having the win 32 Trojan-Gen problem and when it comes to PC … well lets say it took me two days to work my new car radio :-X … So I am going to try to do this… I noticed U guys said to get hijack so I did … And here is the log for that … I am unsure what else I can do since nothing so far I have tried has worked… Friends have tried to help me but seems to be a big blonde moment for them all… Please help…

Logfile of HijackThis v1.99.1
Scan saved at 12:10:30 PM, on 3/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ufjvbfj.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\odtoice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Documents and Settings\Owner\Desktop\stinger.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.superwebsearch.com/ie/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://google.icq.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.superwebsearch.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.superwebsearch.com/ie/
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} -
(no file)
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} -
(no file)
O2 - BHO: MyWebSearch Search Assistant BHO -
{00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program
Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program
Files\CxtPls\cxtpls.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program
Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} -
C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -
C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program
Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} -
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program
Files\NetZero\Toolbar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} -
C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common
Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe”
-atboottime
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [7f4t] C:\WINDOWS\ufjvbfj.exe
O4 - HKLM..\Run: [AutoUpdater] “C:\Program Files\AutoUpdate\AutoUpdate.exe”
O4 - HKLM..\Run: [=°ÜZMÝYMÚlY«V°aÆ+À¼C:\Program Files\ISTsvc\istsvc.exe]
C:\WINDOWS\ufjvbfj.exe
O4 - HKLM..\Run: [WebRebates0] “C:\Program
Files\Web_Rebates\WebRebates0.exe”
O4 - HKLM..\Run: [036P39g] odtoice.exe
O4 - HKLM..\RunOnce: [Ad-aware] “C:\Program Files\Lavasoft\Ad-aware
6\Ad-aware.exe” “+b1”
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program
Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -
C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM95\aim.exe
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} -
C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite -
{B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program
Files\ICQLite\ICQLite.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX
Class) -
http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) -
http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. -
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil
Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America
Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Hi & welcome SwtIndira,

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} -
o2 - BHO: MyWebSearch Search Assistant BHO -
o2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program
o2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program
o2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} -
o2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
o2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program
o3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} -
o4 - HKLM..\Run: [AutoUpdater] “C:\Program Files\AutoUpdate\AutoUpdate.exe”
o4 - HKLM..\Run: [=°ÜZMÝYMÚlY«V°aÆ+À¼C:\Program Files\ISTsvc\istsvc.exe]
o4 - HKLM..\Run: [7f4t] C:\WINDOWS\ufjvbfj.exe
o4 - HKLM..\Run: [WebRebates0] “C:\Program Files\Web_Rebates\WebRebates0.exe”
o4 - HKLM..\Run: [036P39g] odtoice.exe
o16 - dpf: {0e5f0222-96b9-11d3-8997-00104bd12d94} (pcpitstop utility) -
o16 - dpf: {1d6711c8-7154-40bb-8380-3dea45b69cbf} (web p2p installer) -
o16 - dpf: {2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (minibugtransporterx
o16 - dpf: {9732fb42-c321-11d1-836f-00a0c993f125} (mhlabel class) -
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff}
o16 - dpf: {b9191f79-5613-4c7-aa2a-398534bb8999} (yaddbook class) -
o23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot

Then open taskmanager (Alt + Ctrl + Del) then click ‘preocesses’ tab at the top, and kill these processes (if there):

ufjvbfj.exe
odtoice.exe
WebRebates1.exe
msnappau.exe
WebRebates0.exe

Then delete these files:

C:\WINDOWS[b]ufjvbfj.exe[/b]
C:\WINDOWS\SYSTEM32[b]YPCSER~1.EXE[/b]

Then delete these folders:

C:\Program Files[b]Web_Rebates[/b]
C:\Program Files[b]MSN Apps[/b]

Then go here and run download and run these scanners/steps: http://members.home.nl/edeijl/ache/cleaning.htm

The main ones to use are Ad-Aware, Spybot, Avast and CWshredder, however there are some other steps there that you may want to try (such as the system resote one).
But don’t use the AVG scanner as it will conflict with Avast.

Then delete all temp files, therer is alot so i suggest you use ccleaner to remove them (http://www.filehippo.com/download_ccleaner.html)

Also i don’t see any firewall running, if your not using a hardware one (normally inside a router) then i suggest you download a software one, a good one can be found here: http://download.zonelabs.com/bin/free/1012_zl/zlsSetup_55_062_011.exe

Then reboot your system and redo and repost your hijackthis log.

P.S. i release there are alot of steps there, but there needed to remove all that malware etc infecting your system, take your time no need to rush, come back if you need help.

–lee

Thank you so much! … i will get started on that now and try not to blow up my pc … with me u never know

Indy