Help me!! My Hijack log....

I didn't know how to start a new thread, so just posted here. I hope someone can help me!!!

Logfile of HijackThis v1.99.1
Scan saved at 7:25:50 AM, on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
E:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\WINDOWS\system32\tccpip.exe
C:\Program Files\Common Files\{6831F5EA-0960-1033-0430-020624030001}\Update.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\notepad.exe
C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe
E:\WINDOWS\system32\dwwin.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20073&k=
R3 - URLSearchHook: (no name) - {2C5AA40E-8814-4EB6-876E-7EFB8B3F9662} - (no file)
R3 - URLSearchHook: (no name) - {2C5AA40E-8814-4EB6-876E-7EFB8B3F9662} - (no file)
O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - E:\WINDOWS\system32\nweipeg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O4 - HKLM\..\Run: [pop06ap] E:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{6831F5EA-0960-1033-0430-020624030001}] "C:\Program Files\Common Files\{6831F5EA-0960-1033-0430-020624030001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [hrcopul.dll] E:\WINDOWS\system32\rundll32.exe "E:\Documents and Settings\Anna Luzzi.ANNA\Local Settings\Application Data\hrcopul.dll ",vuljcec
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: E:\WINDOWS\system32\svch21.dll e:\windows\system32\ldcore.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - E:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM+ Messages - Unknown owner - E:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

 

Hello and welcome to WindowsBBS Forums.

Anna I've moved your post to its own thread.

You have some sort of mess going on there. Lets get a scan and run another file searching tool as well.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It must not be installed on the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible

Download combofix.exe

• Double click combofix.exe & follow the prompts.
• When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please download, install, and update the free version of AVG Anti-Spyware 7.5 Save the file to your desktop.

1. Double-click the file and select your language.
2. Follow the prompts to install. The application will add three start ups to your system, be sure and allow them if you have any real time monitoring of your system.
3. Once install has completed, run the program.
4. Be sure the two options are enabled:
   • Resident shield
   • Aromatic updates
5. From the main AVG 'Status' screen, click the update now link the update should begin automatically. If not then hit the [Manual Update] Burton to begin updating.
6. After the update finishes, the status bar will display "Update successful "
7. Click the 'Scanner' tab, and select the 'Settings' tab.
8. Under 'How to act?' click 'Recommended actions' and select 'Quarantine'
9. Under 'Reports' be sure to tick the radio button for 'Automatically generate report after each scan' and un-tick the 'Only if threats were found box.
10. Exit AVG. DO NOT run a scan yet.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Then please open AVG,

• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• When the scan is finished, click the [Save report] button at the bottom of the screen.
• Then hit the [Save report as] button.
• Save the report to your desktop.
• Click the 'Scanner' tab again and then click the [Apply all actions] button.
• Close AVG

Then please restart it into Normal Windows. Please post the contents of the ComboFix log into this thread, along with the AVG report and a new HijackThis log. (please edit out all 'cookies', 'Recycler folder' and 'restore\system volume folder' references from the AVG log)

 

Combo Fix Log

Anna Luzzi - 07-01-02 19:01:43.40 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Anna Luzzi\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

E:\QooBox\Purity\WINDOWS\system32\MBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-02 to 2007-01-02 ))))))))))))))))))))))))))))))))))


2007-01-01 23:27 2,654 --a------ E:\WINDOWS\system32\tmp.reg
2007-01-01 23:25 79,360 --a------ E:\WINDOWS\system32\swxcacls.exe
2007-01-01 23:25 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-01-01 23:25 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-01-01 23:25 40,960 --a------ E:\WINDOWS\system32\swsc.exe
2007-01-01 23:25 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-01-01 23:25 135,168 --a------ E:\WINDOWS\system32\swreg.exe
2007-01-01 23:18 <DIR> d-------- E:\VundoFix Backups
2007-01-01 01:17 <DIR> d-------- E:\SDFix
2007-01-01 01:08 <DIR> d-------- E:\avenger
2006-12-31 23:38 <DIR> dr-h----- E:\$VAULT$.AVG
2006-12-31 23:38 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\AVG7
2006-12-31 23:37 816,672 --a------ E:\WINDOWS\system32\drivers\avg7core.sys
2006-12-31 23:37 4,960 --a------ E:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-31 23:37 4,224 --a------ E:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-31 23:37 3,968 --a------ E:\WINDOWS\system32\drivers\avgclean.sys
2006-12-31 23:37 28,416 --a------ E:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-31 23:37 18,240 --a------ E:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-31 23:28 73,728 --a------ E:\WINDOWS\system32\out.dll
2006-12-31 23:28 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\american dad screenmate
2006-12-31 22:04 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\Uniblue
2006-12-31 21:54 79,657 --a------ E:\WINDOWS\system32\qvx5gamet2.exe
2006-12-31 21:54 7,680 --a------ E:\WINDOWS\system32\comdlg77.dll
2006-12-31 21:54 43,008 --a------ E:\WINDOWS\system32\msvcrl.dll
2006-12-31 21:54 20,425 -r-h----- E:\WINDOWS\system32\win_8.exe
2006-12-31 21:48 93,696 --a------ E:\WINDOWS\system32\hrcopul.dll
2006-12-31 21:48 6,295 --a------ E:\WINDOWS\system32\vxg4am1et2.exe
2006-12-31 21:48 29,279 --a------ E:\WINDOWS\system32\vxga4m1et4.exe
2006-12-31 21:48 17,920 --a------ E:\WINDOWS\system32\vxga4me1.exe
2006-12-31 21:48 17,920 --a------ E:\WINDOWS\system32\tccpip.exe
2006-12-31 21:47 7,693 --a------ E:\WINDOWS\system32\dlh9jkd1q7.exe
2006-12-31 21:47 7,181 --a------ E:\WINDOWS\system32\dlh9jkd1q6.exe
2006-12-31 21:46 275,968 --a------ E:\WINDOWS\system32\vpumthw.exe
2006-12-31 21:46 18,957 --a------ E:\WINDOWS\system32\dlh9jkd1q2.exe
2006-12-31 21:46 13 --a------ E:\WINDOWS\system32\dlh9jkd1q8.exe
2006-12-31 21:45 8,343 --a------ E:\WINDOWS\system32\kernels88.exe
2006-12-31 21:43 7,116 --a------ E:\WINDOWS\winus1.exe
2006-12-31 03:33 1,233,920 --a------ E:\WINDOWS\system32\msxml4.dll
2006-12-31 03:32 82,432 --a------ E:\WINDOWS\system32\msxml4r.dll
2006-12-31 03:32 24,064 --a------ E:\WINDOWS\system32\drivers\savonaccessfilter.sys
2006-12-31 03:31 80,128 --a------ E:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2006-12-19 22:47 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\.housecall6.6
2006-12-19 22:47 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\.housecall6.6
2006-12-19 21:54 <DIR> d-------- E:\Documents and Settings\Administrator.ANNA
2006-12-19 21:19 <DIR> d-------- E:\Documents and Settings\Administrator
2006-12-18 22:31 <DIR> d-------- E:\WINDOWS\bak


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-02 19:02 3915 --a------ E:\ComboFix.txt
2007-01-02 19:02 3915 --a------ E:\ComboFix.txt
2007-01-02 18:58 11937 --a------ E:\ComboFix2.txt
2007-01-02 18:58 11937 --a------ E:\ComboFix2.txt
2007-01-02 03:49 -------- d-------- E:\WINDOWS
2007-01-02 03:49 -------- d-------- E:\WINDOWS
2007-01-01 23:28 1907 --a------ E:\rapport.txt
2007-01-01 23:28 1907 --a------ E:\rapport.txt
2007-01-01 23:22 212 --a------ E:\VundoFix.txt
2007-01-01 23:22 212 --a------ E:\VundoFix.txt
2007-01-01 02:19 -------- d--hs---- E:\RECYCLER
2007-01-01 02:19 -------- d--hs---- E:\RECYCLER
2007-01-01 01:07 1111 --a------ E:\pelog.txt
2007-01-01 01:07 1111 --a------ E:\pelog.txt
2006-12-31 23:36 -------- d-------- E:\Documents and Settings
2006-12-31 23:36 -------- d-------- E:\Documents and Settings
2006-12-31 21:54 656 --a------ E:\WINDOWS\system32\sfc_os.dll
2006-12-31 21:53 -------- d--h----- E:\Config.Msi
2006-12-31 21:53 -------- d--h----- E:\Config.Msi
2006-12-31 03:47 -------- dr------- E:\Program Files
2006-12-31 03:47 -------- dr------- E:\Program Files
2006-12-24 23:44 -------- d-------- E:\TEMP
2006-12-24 23:44 -------- d-------- E:\TEMP
2006-12-19 15:45 2764 --ah----- E:\IPH.PH
2006-12-19 15:45 2764 --ah----- E:\IPH.PH
2006-12-07 00:29 2374472 --a------ E:\WINDOWS\system32\wmvcore.dll
2006-11-27 22:07 -------- d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\Skype
2006-11-08 00:06 679424 --a------ E:\WINDOWS\system32\inetcomm.dll
2006-11-02 20:41 -------- d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\uTorrent
2006-10-19 08:56 713216 --a------ E:\WINDOWS\system32\sxs.dll
2006-10-13 07:35 65536 --a------ E:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ E:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ E:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Aim6 "=" "
"Aim6 "=" "
"Syscpy "=" "
"DIRECT! "=" "
"Uniblue SpyEraser "= "\ "c:\\program files\\uniblue\\spyeraser\\spyeraser.exe\" -m "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
@=hex(7b0):

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"pop06ap "= "E:\\WINDOWS\\pop06ap2.exe "
"HP Software Update "= "\ "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"{6831F5EA-0960-1033-0430-020624030001} "= "\ "C:\\Program Files\\Common Files\\{6831F5EA-0960-1033-0430-020624030001}\\Update.exe\" te-110-12-0000213 "
"hrcopul.dll "= "E:\\WINDOWS\\system32\\rundll32.exe \ "E:\\Documents and Settings\\Anna Luzzi.ANNA\\Local Settings\\Application Data\\hrcopul.dll\ ",vuljcec "
"hrcopul.dll "= "E:\\WINDOWS\\system32\\rundll32.exe \ "E:\\Documents and Settings\\Anna Luzzi.ANNA\\Local Settings\\Application Data\\hrcopul.dll\ ",vuljcec "
"AVG7_CC "= "C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlMinorVersion "=dword:00000005
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"SubscribedURL "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,de,03,\
00,00,04,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,de,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=hex(7ac):

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
@=hex(7ac):

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
@=hex(7b0):

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
@=hex(7b0):

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop "=dword:00000000
"NoActiveDesktop "=dword:00000000
"ClassicShell "=dword:00000000
"ForceActiveDesktopOn "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"Run "=hex(7ac):

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"legalnoticecaption "=" "
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
@=hex(7ac):

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
@=hex(7ac):

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
@=hex(7ac):

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
@=hex(7ac):

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CAISafe "=dword:00000003
"CAISafe "=dword:00000003
"Browser "=dword:00000002
"BITS "=dword:00000003
"AudioSrv "=dword:00000002
"AppMgmt "=dword:00000003
"ALG "=dword:00000003
"ColdFusion MX ODBC Server "=dword:00000002
"ColdFusion MX ODBC Agent "=dword:00000002
"ColdFusion MX Application Server "=dword:00000002
"Adobe LM Service "=dword:00000003
"vsmon "=dword:00000002
"iPodService "=dword:00000003
"IDriverT "=dword:00000003

HKEY_ REG_SZ
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SAVService

Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\Uniblue SpyEraser.job

Completion time: 07-01-02 19:02:37.81
E:\ComboFix.txt ... 07-01-02 19:02
E:\ComboFix2.txt ... 07-01-02 18:58

 

AVG Reports Part 1

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:05:08 PM 1/2/2007

+ Scan result:


E:\WINDOWS\system32\hrcopul.dll -> Downloader.Busky.az : Cleaned.


E:\Documents and Settings\LocalService\Local Settings\Temp\f59393953.exe -> Downloader.Qoologic.bp : Cleaned.

E:\Documents and Settings\NetworkService\Local Settings\Temp\f59391859.exe -> Downloader.Qoologic.bp : Cleaned.

E:\WINDOWS\system32\sfc_os.dll -> Downloader.SFC.os : Cleaned.

E:\WINDOWS\winus1.exe -> Downloader.Small.bve : Cleaned.


E:\WINDOWS\system32\vxga4m1et4.exe -> Downloader.Small.dam : Cleaned.

C:\mjadsii.exe -> Downloader.Small.edu : Cleaned.

E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZL1CPYQX\uohhhtddnb[1].txt -> Downloader.Small.edu : Cleaned.

E:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet
Files\Content.IE5\4J4FU5UP\uohhhtddnb[1].txt -> Downloader.Small.edu : Cleaned.

E:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun23.exe -> Downloader.Tibs.jy : Cleaned.

E:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun26.exe -> Downloader.Tibs.jy : Cleaned.

E:\WINDOWS\system32\kernels88.exe -> Downloader.Tibs.jy : Cleaned.

E:\WINDOWS\system32\vxg4am1et2.exe -> Downloader.Tibs.jy : Cleaned.


E:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun25.exe -> Dropper.Agent.azk : Cleaned.
C:\pweug.exe -> Hijacker.Costrat.z : Cleaned.
E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ZL1CPYQX\burnobc[1].txt -> Hijacker.Costrat.z : Cleaned.
E:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\03A8ASGY\burnobc[1].txt -> Hijacker.Costrat.z : Cleaned.


E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2LDE6YH3\gmstd[1].htm -> Logger.Goldun.on : Cleaned.

E:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\4J4FU5UP\gmstd[1].htm -> Logger.Goldun.on : Cleaned.

E:\WINDOWS\system32\msvcrl.dll -> Logger.Goldun.on : Cleaned.

E:\Documents and Settings\Anna Luzzi.ANNA\Local Settings\Application Data\iapbaaaa.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.

E:\WINDOWS\system32\dlh9jkd1q2.exe -> Not-A-Virus.Hoax.Win32.Renos.gp : Cleaned.

 

AVG Reports Part 2

EDITED To remove cookies, not required

 

AVG Reports Part 3

E:\WINDOWS\system32\vxga4me1.exe -> Trojan.Agent.acr : Cleaned.
E:\Documents and Settings\NetworkService\Local Settings\Temp\mst27A.tmp -> Trojan.Agent.vg : Cleaned.
E:\Documents and Settings\NetworkService\Local Settings\Temp\mst286.tmp -> Trojan.Agent.vg : Cleaned.
C:\sstray.exe -> Trojan.LdPinch.bdf : Cleaned.


C:\vqqwaoee.exe -> Trojan.Sinowal.ay : Cleaned.


E:\WINDOWS\system32\win_8.exe -> Trojan.Small.ia : Cleaned.


E:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun22.exe -> Trojan.VB.tg : Cleaned.

 

HiJackThis Log

I'm sorry, I was reading one at a time, accidentally posted all the cookies removed. Sorry!!

Logfile of HijackThis v1.99.1
Scan saved at 8:25:46 PM, on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
E:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\tccpip.exe
E:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
E:\WINDOWS\system32\sdfghjgewaertyutrew.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\program files\uniblue\spyeraser\spyeraser.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\system32\notepad.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\WINDOWS\system32\calc.exe
E:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20073&k=
R3 - URLSearchHook: (no name) - {2C5AA40E-8814-4EB6-876E-7EFB8B3F9662} - (no file)
O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - E:\WINDOWS\system32\nweipeg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [pop06ap] E:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{6831F5EA-0960-1033-0430-020624030001}] "C:\Program Files\Common Files\{6831F5EA-0960-1033-0430-020624030001}\Update.exe" te-110-12-0000213
O4 - HKLM\..\Run: [hrcopul.dll] E:\WINDOWS\system32\rundll32.exe "E:\Documents and Settings\Anna Luzzi.ANNA\Local Settings\Application Data\hrcopul.dll ",vuljcec
O4 - HKLM\..\Run: [sdfghjgewaertyutrew.exe] E:\WINDOWS\system32\sdfghjgewaertyutrew.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [Uniblue SpyEraser] "c:\program files\uniblue\spyeraser\spyeraser.exe" -m
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/cab/SystemDoctor2006FreeInstall.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: E:\WINDOWS\system32\svch21.dll e:\windows\system32\ldcore.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - E:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM+ Messages - Unknown owner - E:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

 

Ok, lets remove what's remaining and see how we fare.

I edited out all the info from previous posts which was not required.

Lets proceed.

Access your Add or Remove Programs Control Panel by hitting your [Start] button, select Control Panel and click on Add or Remove Programs. Then find the following programs and click the [Change|Remove] button for each, if they are listed. If they are not, continue with instructions
WinBudget
BHO Pluhin
Party Gaming

Download the Killbox from here and save it to the desktop.

• Double-click the KillBox icon on your desktop to open it
• Select "Delete on Reboot "
• Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
E:\WINDOWS\system32\svch21.dll
e:\windows\system32\ldcore.dll
E:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
E:\WINDOWS\system32\sdfghjgewaertyutrew.exe
C:\Program Files\Common Files\{6831F5EA-0960-1033-0430-020624030001}\Update.exe
E:\WINDOWS\pop06ap2.exe
E:\WINDOWS\system32\nweipeg.dll
E:\WINDOWS\system32\out.dll
E:\WINDOWS\system32\qvx5gamet2.exe
E:\WINDOWS\system32\comdlg77.dll
E:\WINDOWS\system32\win_8.exe
E:\WINDOWS\system32\hrcopul.dll
E:\WINDOWS\system32\vxga4me1.exe
E:\WINDOWS\system32\tccpip.exe
E:\WINDOWS\system32\dlh9jkd1q7.exe
E:\WINDOWS\system32\dlh9jkd1q6.exe
E:\WINDOWS\system32\vpumthw.exe
E:\WINDOWS\system32\dlh9jkd1q8.exe
E:\WINDOWS\bak

Return to Killbox

• Go to the File menu, and choose "Paste from Clipboard ".
• Click the red-and-white [Delete File] button.
• Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not allow a reboot yet.


Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20073&k=

R3 - URLSearchHook: (no name) - {2C5AA40E-8814-4EB6-876E-7EFB8B3F9662} - (no file)


O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll

O2 - BHO: (no name) - {371EE1EF-F177-1390-7807-08525DC0E55C} - E:\WINDOWS\system32\nweipeg.dll (file missing)


O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll

O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)


O4 - HKLM\..\Run: [pop06ap] E:\WINDOWS\pop06ap2.exe

O4 - HKLM\..\Run: [{6831F5EA-0960-1033-0430-020624030001}] "C:\Program Files\Common Files\{6831F5EA-0960-1033-0430-020624030001}\Update.exe" te-110-12-0000213

O4 - HKLM\..\Run: [hrcopul.dll] E:\WINDOWS\system32\rundll32.exe "E:\Documents and Settings\Anna Luzzi.ANNA\Local Settings\Application Data\hrcopul.dll ",vuljcec

O4 - HKLM\..\Run: [sdfghjgewaertyutrew.exe] E:\WINDOWS\system32\sdfghjgewaertyutrew.exe


O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)



O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)


O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download...reeInstall.cab


O20 - AppInit_DLLs: E:\WINDOWS\system32\svch21.dll e:\windows\system32\ldcore.dll

O20 - Winlogon Notify: winsys2freg - E:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

 

ComboFix & Hijack Logfile

Anna Luzzi - 07-01-02 22:37:38.68 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Anna Luzzi\Desktop "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

E:\QooBox\Purity\WINDOWS\system32\MBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-02 to 2007-01-02 ))))))))))))))))))))))))))))))))))


2007-01-02 22:11 <DIR> d-------- E:\!KillBox
2007-01-02 19:14 3,968 --a------ E:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-01 23:27 2,654 --a------ E:\WINDOWS\system32\tmp.reg
2007-01-01 23:25 79,360 --a------ E:\WINDOWS\system32\swxcacls.exe
2007-01-01 23:25 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-01-01 23:25 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-01-01 23:25 40,960 --a------ E:\WINDOWS\system32\swsc.exe
2007-01-01 23:25 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-01-01 23:25 135,168 --a------ E:\WINDOWS\system32\swreg.exe
2007-01-01 23:18 <DIR> d-------- E:\VundoFix Backups
2007-01-01 01:17 <DIR> d-------- E:\SDFix
2007-01-01 01:08 <DIR> d-------- E:\avenger
2006-12-31 23:38 <DIR> dr-h----- E:\$VAULT$.AVG
2006-12-31 23:38 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\AVG7
2006-12-31 23:28 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\american dad screenmate
2006-12-31 22:04 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\Uniblue
2006-12-31 03:33 1,233,920 --a------ E:\WINDOWS\system32\msxml4.dll
2006-12-31 03:32 82,432 --a------ E:\WINDOWS\system32\msxml4r.dll
2006-12-31 03:32 24,064 --a------ E:\WINDOWS\system32\drivers\savonaccessfilter.sys
2006-12-31 03:31 80,128 --a------ E:\WINDOWS\system32\drivers\savonaccesscontrol.sys
2006-12-19 22:47 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\.housecall6.6
2006-12-19 22:47 <DIR> d-------- E:\Documents and Settings\Anna Luzzi.ANNA\.housecall6.6
2006-12-19 21:54 <DIR> d-------- E:\Documents and Settings\Administrator.ANNA
2006-12-19 21:19 <DIR> d-------- E:\Documents and Settings\Administrator


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-02 22:38 2399 --a------ E:\ComboFix.txt
2007-01-02 22:38 2399 --a------ E:\ComboFix.txt
2007-01-02 22:15 -------- d-------- E:\WINDOWS
2007-01-02 22:15 -------- d-------- E:\WINDOWS
2007-01-02 19:02 11109 --a------ E:\ComboFix2.txt
2007-01-02 19:02 11109 --a------ E:\ComboFix2.txt
2007-01-02 18:58 11937 --a------ E:\ComboFix3.txt
2007-01-02 18:58 11937 --a------ E:\ComboFix3.txt
2007-01-01 23:28 1907 --a------ E:\rapport.txt
2007-01-01 23:28 1907 --a------ E:\rapport.txt
2007-01-01 23:22 212 --a------ E:\VundoFix.txt
2007-01-01 23:22 212 --a------ E:\VundoFix.txt
2007-01-01 02:19 -------- d--hs---- E:\RECYCLER
2007-01-01 02:19 -------- d--hs---- E:\RECYCLER
2007-01-01 01:07 1111 --a------ E:\pelog.txt
2007-01-01 01:07 1111 --a------ E:\pelog.txt
2006-12-31 23:36 -------- d-------- E:\Documents and Settings
2006-12-31 23:36 -------- d-------- E:\Documents and Settings
2006-12-31 21:53 -------- d--h----- E:\Config.Msi
2006-12-31 21:53 -------- d--h----- E:\Config.Msi
2006-12-31 03:47 -------- dr------- E:\Program Files
2006-12-31 03:47 -------- dr------- E:\Program Files
2006-12-24 23:44 -------- d-------- E:\TEMP
2006-12-24 23:44 -------- d-------- E:\TEMP
2006-12-19 15:45 2764 --ah----- E:\IPH.PH
2006-12-19 15:45 2764 --ah----- E:\IPH.PH
2006-12-07 00:29 2374472 --a------ E:\WINDOWS\system32\wmvcore.dll
2006-11-27 22:07 -------- d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\Skype
2006-11-08 00:06 679424 --a------ E:\WINDOWS\system32\inetcomm.dll
2006-11-02 20:41 -------- d-------- E:\Documents and Settings\Anna Luzzi.ANNA\Application Data\uTorrent
2006-10-19 08:56 713216 --a------ E:\WINDOWS\system32\sxs.dll
2006-10-13 07:35 65536 --a------ E:\WINDOWS\system32\nwwks.dll
2006-10-13 07:35 64000 --a------ E:\WINDOWS\system32\nwapi32.dll
2006-10-13 07:35 142336 --a------ E:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "\ "C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\" "
"Aim6 "=" "
"Syscpy "=" "
"DIRECT! "=" "
"Uniblue SpyEraser "= "\ "c:\\program files\\uniblue\\spyeraser\\spyeraser.exe\" -m "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"IPConfig "=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HP Software Update "= "\ "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange "= "1 "
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=hex:04,00,00,40
"OriginalStateInfo "=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,de,03,\
00,00,04,00,00,40
"RestoredStateInfo "=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,de,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper "=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091
"NoActiveDesktop "=dword:00000000
"ClassicShell "=dword:00000000
"ForceActiveDesktopOn "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr "=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr "=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder "= "{7849596a-48ea-486e-8937-a2a3009f31a9} "
"CDBurn "= "{fbeb8a05-beee-4442-804e-409d6c4515e9} "
"WebCheck "= "{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "
"SysTray "= "{35CEC8A3-2BE6-11D2-8773-92E220524153} "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"rpcapd "=dword:00000003
"CAISafe "=dword:00000003
"Browser "=dword:00000002
"BITS "=dword:00000003
"AudioSrv "=dword:00000002
"AppMgmt "=dword:00000003
"ALG "=dword:00000003
"ColdFusion MX ODBC Server "=dword:00000002
"ColdFusion MX ODBC Agent "=dword:00000002
"ColdFusion MX Application Server "=dword:00000002
"Adobe LM Service "=dword:00000003
"vsmon "=dword:00000002
"iPodService "=dword:00000003
"IDriverT "=dword:00000003

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SAVService

Contents of the 'Scheduled Tasks' folder
E:\WINDOWS\tasks\Uniblue SpyEraser.job

Completion time: 07-01-02 22:38:29.78
E:\ComboFix.txt ... 07-01-02 22:38
E:\ComboFix2.txt ... 07-01-02 19:02
E:\ComboFix3.txt ... 07-01-02 18:58








Logfile of HijackThis v1.99.1
Scan saved at 10:42:09 PM, on 1/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
E:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\program files\uniblue\spyeraser\spyeraser.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\WgaTray.exe
E:\WINDOWS\system32\NOTEPAD.EXE
e:\program files\internet explorer\iexplore.exe
E:\WINDOWS\system32\spoolsv.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [Uniblue SpyEraser] "c:\program files\uniblue\spyeraser\spyeraser.exe" -m
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM+ Messages - Unknown owner - E:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - E:\WINDOWS\system32\tccpip.exe (file missing)

 

Ok, almost there.


But we have one new 023 service, which is rogue. And another one I overlooked.


Go to: Start > Run > type " services.msc ", then click OK

When the Services window appears scroll down to the TCP and UDP Supp0rt service.

Click it to highlight it, then <right-click> and select: Properties
Select and set "Service Status" option to "Stop"
Select: "Startup type" and set it to "Disabled ", click Apply, then OK.

Perform the same steps above with this service:
COM+ Messages


Run HJT, and place a check next to the following lines, then, with all browsers and windows closed, hit 'Fix checked':

O23 - Service: COM+ Messages - Unknown owner - E:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)

O23 - Service: TCP and UDP Supp0rt - Unknown owner - E:\WINDOWS\system32\tccpip.exe (file missing)


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then search for and delete, if found, (some may not be present after previous steps) the following files/folders:
E:\WINDOWS\system32\svchosts.exe<<<--this file**Please note spelling!! Do not delete svchost.exe....note the extra 'S'
E:\WINDOWS\system32\tccpip.exe<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

 

HiJackThis Log

These didn't come up.

O23 - Service: COM+ Messages - Unknown owner - E:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213 (file missing)

O23 - Service: TCP and UDP Supp0rt - Unknown owner - E:\WINDOWS\system32\tccpip.exe (file missing)

I couldn't find these either.
E:\WINDOWS\system32\svchosts.exe
E:\WINDOWS\system32\tccpip.exe

My computer is a lot better, thank you.

But I still have werid error messages when I start up my computer.

Logfile of HijackThis v1.99.1
Scan saved at 2:36:13 AM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
E:\WINDOWS\system32\HPZipm12.exe
c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\WINDOWS\system32\spoolsv.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Adobe Gamma.lnk = C:\Program Files\common files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe

 

What sort of messgaes? Give me exact text which appears including any links to other sites.

The log appears clear, but that does not mean there isn't something still lurking.

 

Error Message

winlogon.exe - Unable To Locate Component

This application has failed to start because sfc_os.dll was not found. Re-installing the application may fix this problem.

 

My Processes

Since I'm fixing everything, I looked at my processes running. Is there anything harmful or useless that's running that I can delete or shut off on my start ups? Thanks again !!!

ALMon.exe
ALsvc.exe
avgas.exe
csrss.exe
explorer.exe
guard.exe
hpqtra08.exe
HPWuSchd2.exe
HPZipm12.exe
Isass.exe
SAVAdminService.exe
SavService.exe
smss.exe
svchost.exe
system
system idle process
wdfmgr.exe
winlogon.exe
wscntfy.exe

 

Windows Media Player - No Sound

Sorry - I just remembered another problem I've had for a long time. I couldn't get my windows media player to play sound.

I get this message:
An audio codec is needed to play this file. To determine if this codec is available to download from the Web, click Web Help.

 

OK, for the first problem:
enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Open 'My Computer' and select the 'Search' feature. Then click the 'All files and folders' button. Click the 'More advanced search options' button and be sure the 'Search system folders', 'Search hidden files and folders' and 'Search subfolders' boxes are check marked then searchfor the following file, located in your system32 folder
sfc_os.dll

If there, it may be corrupted. If not there, we need to replace it with a good copy regardless.

Service pack folders are usually kept on your hard drive. Search for the following folder:
i386

Then look for the following files:
sfc_os.dll or sfc_os.dl_

Same file, but one format is compressed and the other isn't.

Let me know what you find. The idea is to put a good copy of the file into the system32 folder. If it is compressed, we'll need to expand it. But that's not a problem.

Lets et this problem solved before we address the WMP. Do not install any codecs.

 

All those are fine, but I'm guessing you misspelled one:
Isass.exe should actually be lsass.exe, it begins with an 'L', but lower case.

 

sfc_os.dll

I did the search. I found the following:

sfc_os.dll C:\backup\F DRIVE\WINDOWS\system
sfc_os.dll C:\backup\F DRIVE\WINDOWS\system\dllcache
sfc_os.dll E:\WINDOWS\system32\dllcache

 

Ok, here is what we need to do.

The infection replaced the legit 'sfc_os.dll' with a rogue, now that it's been removed, you're getting errors.

So first we must verify that the ones on your back ups are clean, then we can rename the bad one, replace it with good one, reboot and errors should be gone.

So:
Please go to Jotti Online File Scanner

Navigate to the file on the drive:
C:\backup\F DRIVE\WINDOWS\system\dllcache

And have it scanned.

Post the scan results back here for me, thanks.

 

Malware scan

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I also tried to turn off my firewall after this and it wouldn't let me. It said "For your security, some settings are controlled by Group Policy ".