Cinder and Agobot

Re: yet another Win32:Trojan-gen.{VC}

help................. PLEASE!!!!!!!!!!!!!!!! I am going out of my mind here trying to get rid of this trojan-gen, I also have a worm/agobot or gaobot I can't get rid of either

Logfile of HijackThis v1.97.7

Scan saved at 8:01:48 AM, on 05/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Documents and Settings\Carrie.PURPLEPOWER\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsi.eastlink.ca/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083522629609
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

 

Hi Cinder,

Could you be a bit more specific?
Which program finds which Trojan where? (Full path and filenames, please)

Your log is clean.
Are you running both AVG and Avast?
I only see AVG in the running processes but a Startup for Avast.

Regards,

Pieter

 

thank you so much for your quick response and sorry I was a little vague..lol (frustrated this morning)

I uninstalled Avast but apparently some of it is still on here..will try to remove it now. I run AVG because I find it easier to use...I am a bit computer illiterate. The AVG warning tells me "Worm/Agobot.13.AJ found in C:\SystemVolumeInformation\_restore......" then it says run AVG to remove but when I run AVG it says no virus' found. In test results it says that there are 27 files(and names them) ....cannot open, not checked. I presume that the problem is in those files...

here is the log from this morning

Results of Complete Test, date and time 05/05/2004 8:49:59 :

Testing C:\ volume WINXP_HOM_EN serial 5CFF-309A
C:\HIBERFIL.SYS Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT.LOG Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\D0000000.FCS Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\L0000002.FCS Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.IDX Cannot open; not checked!
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!

Test finished, duration 00:38:35.8 s
22803 objects tested, 0 found infected





Cinder

 

Hi Cinder,

The path indicates that it is in your system restore. You can purge your restore points of any infection that may have been backed up in there by following these directions:

Turn OFF System Restore:
1. On the Desktop, right-click My Computer.
2. Click Properties.
3. Click the System Restore tab.
4. Check the box beside "Turn off System Restore".
5. Click Apply, and then click OK.
6. Restart the computer. (You must restart your computer to clear the old Restore Points)

Turn System Restore ON:
1. Follow the above Steps 1 to 3
2. UNcheck the box beside "Turn off System Restore".
3. Click Apply, and then click OK.
4. Restart your computer.
5. And set a new Restore Point.

After you have done the above, make sure you go to Microsoft's Update site and download ALL Critical Updates listed for your computer and IE browser.

It wouldn't hurt to do a full system scan with one of these free on-line anti-virus scanners:
Free Services

Let us know how the scans turn out.

Regards,

snap

 

I have created a new restore point and done all the updates;

Logfile of HijackThis v1.97.7
Scan saved at 9:53:58 AM, on 10/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Carrie.PURPLEPOWER\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsi.eastlink.ca/
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083522629609
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

And here is my AVG log...it says no virus' found but it cannot open some files to check
Results of Complete Test, date and time 10/05/2004 8:48:50 :

Testing C:\ volume WINXP_HOM_EN serial 5CFF-309A
C:\HIBERFIL.SYS Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT.LOG Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\D0000000.FCS Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\L0000002.FCS Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.IDX Cannot open; not checked!
C:\WINDOWS\SMDAT32A.SYS Cannot open; not checked!
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
C:\WINDOWS\SYSTEM32\P2P Networking\CACHE\DATABASE\INDEX256.DBB Cannot open; not checked!

Test finished, duration 00:48:18.5 s
24069 objects tested, 0 found infected

 

Eeeeek. Looks like you installed a spyware ridden filesharing program in the mean time.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~2.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"

O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Then reboot and delete:
C:\Program Files\PERFECTNAV <= entire folder
C:\Program Files\MyWay <= entire folder
C:\Program Files\Common files\updmgr <= entire folder
c:\program files\altnet\points manager <= entire folder
C:\Program Files\Common Files\CMEII <= entire folder
C:\Program Files\Common Files\GMT <= entire folder

And uninstall P2P networking in Add/remove Software.

Regards,

Pieter

 

I've done all that and run the AVG scan again and there are still files it cant open to check..... here are the logs again....

Logfile of HijackThis v1.97.7
Scan saved at 5:49:12 PM, on 11/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Hotbar\bin\4.4.6.0\HbInst.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hotbar\bin\4.4.6.0\HbSrv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Carrie.PURPLEPOWER\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsi.eastlink.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.hotbar.com/dyn/hotbar/3.0/sb_searchPageHome.htm
O2 - BHO: Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.4.6.0\HbHostIE.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Hotbar - {B195B3B3-8A05-11D3-97A4-0004ACA6948E} - C:\Program Files\Hotbar\bin\4.4.6.0\HbHostIE.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Hotbar] C:\Program Files\Hotbar\bin\4.4.6.0\HbInst.exe /Upgrade
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: hp instant support.lnk = C:\Program Files\Hewlett-Packard\hpis\bin\matcli.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083522629609
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

and AVG.....


Results of Complete Test, date and time 11/05/2004 14:03:52 :

Testing C:\ volume WINXP_HOM_EN serial 5CFF-309A
C:\HIBERFIL.SYS Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\NTUSER.DAT.LOG Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\Carrie.PURPLEPOWER\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHANDIR.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\CHN.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\D0000000.FCS Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\L0000002.FCS Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DIE.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_DND.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_EXT.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\PRS_RCV.IDX Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.DAT Cannot open; not checked!
C:\Program Files\LOGITECH\Desktop Messenger\8876480\USERS\CARRIE\DATA\STORYDB.IDX Cannot open; not checked!
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!

Test finished, duration 00:53:04.8 s
24231 objects tested, 0 found infected

 

I would just like to thank you for all your help...I dont seem to be having any more problems so far...