Help with Trojan/Second Thought/I hijacked and here is the log

Discussion in 'adware, spyware & hijack cleaning' started by emsmom, Feb 7, 2004.

Thread Status:
Not open for further replies.
  1. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Please help me get rid of this. I have AVG ran each evening and it keeps healing but I have the second thought icon on my desktop as well as other icons I did not intend on being there and I also have the tool bar associated with this virus. Oh, and I had that Povnav thing (perhaps it is associated with the virus) but I think that is under control...but who knows! Please walk me through the procedures. Please....... I am a total newbie :)




    ogfile of HijackThis v1.97.7
    Scan saved at 6:53:45 AM, on 2/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\HPHipm11.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.106-big.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.106-big.dll
    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
    O4 - HKLM\..\Run: [QSMP] C:\WINDOWS\QSMP.exe
    O4 - HKLM\..\Run: [CFILPS] C:\WINDOWS\CFILPS.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe
    O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmtrans.html
    O9 - Extra button: MaxManager (HKLM)
    O9 - Extra 'Tools' menuitem: &MaxManager (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\Java\ControlF1\STMeeting25.cab
    O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
    O16 - DPF: Win32 Classes -
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://12.47.101.191/central/02030105/cccabs/CleverContent.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_753/sdcregie.cab
    O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
    O16 - DPF: {25B64A7C-632D-11D4-9587-0060B0FC8340} (zLaunch Class) - http://209.225.16.4/install/FreeRide/zinstaller.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/3,0,0,24/mcinsctl.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
    O16 - DPF: {6C636F50-7EB2-11D2-883C-CA8C113EA37E} (McAfee Clinic QuickClean Class) - http://download.mcafee.com/molbin/Clinic/Clean/QuickClean/MGqcctl.cab
    O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
    O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4017/ftp.coupons.com/v3121/cpbrkpie.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.3071875
    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
    O16 - DPF: {AEAD8593-667F-11D3-82FA-005004185BB3} (Servicesoft VoiceControl) - http://12.18.140.235/java/nm.cab
    O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab
    O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://popnav.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
    R3 - Default URLSearchHook is missing
    O2 - BHO: Clear Search - {00000000-0000-0000-0000-000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL

    O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

    O4 - HKLM\..\Run: [MSConfig45] MSConfig45.exe

    O4 - HKLM\..\Run: [MSVersion] C:\WINDOWS\System32\internetfeatures.exe
    O4 - HKLM\..\Run: [iefeatures] C:\WINDOWS\System32\iefeatures.exe
    O4 - HKLM\..\Run: [QSMP] C:\WINDOWS\QSMP.exe
    O4 - HKLM\..\Run: [CFILPS] C:\WINDOWS\CFILPS.exe

    O4 - HKLM\..\RunServices: [MSConfig45] MSConfig45.exe

    O4 - Global Startup: PowerReg Scheduler.exe

    O16 - DPF: Win32 Classes -

    O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://12.47.101.191/central/02030105/cccabs/CleverContent.cab

    O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_753/sdcregie.cab

    O16 - DPF: {25B64A7C-632D-11D4-9587-0060B0FC8340} (zLaunch Class) - http://209.225.16.4/install/FreeRide/zinstaller.cab

    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installfromtheweb.com/install/iftwclix.cab

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4017/ftp.coupons.com/v3121/cpbrkpie.cab

    O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab

    O16 - DPF: {AEAD8593-667F-11D3-82FA-005004185BB3} (Servicesoft VoiceControl) - http://12.18.140.235/java/nm.cab


    O16 - DPF: {E2CF5C45-7CCC-11D4-9BD1-0080C6F60B6A} (CouponsComBrxpdf2 Control) - http://ftp.coupons.com/brxpdf2.cab

    Then reboot and delete:
    MSConfig45.exe <= http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=56539&VName=BKDR_SDBOT.OJ
    C:\PROGRAM FILES\Toolbar <= entire folder
    C:\WINDOWS\System32\internetfeatures.exe
    C:\WINDOWS\System32\iefeatures.exe
    C:\Program Files\ClearSearch <= entire folder

    And read this on how to prevent future infections: http://boards.cexx.org/viewtopic.php?t=957

    Regards,

    Pieter
     
  3. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    k you for replying.
    OK...I read that you said no question is stupid .. stupid is not asking...how do I get back to highjack this...to preform what you asked me to?
    Regards,
    Theresa
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    Best would be to unzip HijackThis.exe to a folder of it´s own, since it will create backups of the fixes in that folder.

    Then doubleclick Hijackthis.exe, click Scan and put checkmarks in front of the entries I advised to be fixed.
    Once you doublechecked you have checkmarks in front of the correct ones, close all other windows and click the Fix Checked button.

    Regards,

    Pieter
     
  5. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    I did originally save it to my documents as a text file. Do need to do back and do the whole process again from scratch to get where I need to be...I am sorry I am not a computer wiz at all...I so appreciate your help.
    Sincerely,
    Emsmom
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    You do not need to make a new log.
    After you did the scan with HijackThis, you can put checkmarks in the program screen itself as shown below.
     

    Attached Files:

  7. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    I have competed Phase 1 and restarted my computer...please walk me through Phase 2.
    Where do I find:
    MSConfig45.exe <= http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=56539&VName=BKDR_SDBOT.OJ
    C:\PROGRAM FILES\Toolbar <= entire folder
    C:\WINDOWS\System32\internetfeatures.exe
    C:\WINDOWS\System32\iefeatures.exe
    C:\Program Files\ClearSearch <= entire folder


    Sincerely,
    Emsmom
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    The easiest way is use the Find Files utility in Windows.

    Start > Search > All files/folders > type or copy&paste the file or folder name you want to remove and click Find.

    The resulst will show up on the right hand side. You can rightclick them there and choose "Delete"

    You can also have a look here for some better explanation on the Find Files utility: http://www.cyberwalker.net/columns/aug03/find-file.html

    Regards,

    Pieter
     
  9. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    Thank you for hanging in there with me...how do I find:
    MSConfig45.exe <= http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=56539&VName=BKDR_SDBOT.OJ


    I seem to be having a problem with that.

    Sincerely,

    Emsmom
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    It could be a hidden file.
    Check here how to "unhide" those: http://www.tacktech.com/display.cfm?ttid=192

    Could you post a new log, so I can check if everything we wanted to stop has done so?

    Thanks,

    Pieter
     
  11. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    Still no luck with:

    MSConfig45.exe <= http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=56539&VName=BKDR_SDBOT.OJ

    Search in all files in Computer?

    Yikes this is quite a challenge...hope you are still there.

    Also I did a search for Systems32 and what came up was:Systems32 C:\Windows File Folder
    system32 C:\$WIN_NT$.~BT File Folder

    Are these the 2 I am looking for?

    Thanks again,
    Emsmom

    Do you want me to post the log after I figure these out or before?
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    Please post a new log first. :)
    I will figure out another way to see if the file is gone.

    Regards,

    Pieter
     
  13. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    here goes:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:11:40 PM, on 2/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\HPHipm11.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.106-big.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.106-big.dll
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmtrans.html
    O9 - Extra button: MaxManager (HKLM)
    O9 - Extra 'Tools' menuitem: &MaxManager (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\Java\ControlF1\STMeeting25.cab
    O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/3,0,0,24/mcinsctl.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
    O16 - DPF: {6C636F50-7EB2-11D2-883C-CA8C113EA37E} (McAfee Clinic QuickClean Class) - http://download.mcafee.com/molbin/Clinic/Clean/QuickClean/MGqcctl.cab
    O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
    O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.3071875
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
    O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab

    PLMK what you think,
    Thanks again,
    Theresa
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    Your log looks fine.
    I think the file was gone all along.
    But you can try an online virusscan to make sure, you will find several listed here: http://www.wilders.org/free_services_m.htm

    Regards,

    Pieter
     
  15. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    Is AVG Scan ok to do to scan for virus protection or do you recommend one of the others?

    What can I do with the icons on my desktop (Second Thought, Eliminate Pop-ups, etc)

    Thank you,
    Theresa
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    Yes, AVG will find it too if it is fully updated.
    You can throw the icons in the trashcan. They shouldn't return this time.

    Regards,

    Pieter
     
  17. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    I followed your advice and updated the AVG and ran the test before I went to bed. When I came down I saw that the test had stopped for some reason and it showed a virus and was healed, I repeated the AVG test and the same virus showed again and was healed. I saved the logs if it is important for you to see. I was not sure if that was something that needed to be posted.

    The virus is called "Trojan horse startpage.EJ"



    Please note that there are 2 new icons that I do not believe I put on my desktop: hpothb07 (the graphics on each are different but the same description is listed on desktop).

    Here is my updated hijack log:
    Logfile of HijackThis v1.97.7
    Scan saved at 5:35:57 AM, on 2/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\HPHipm11.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar_en_2.0.106-big.dll
    O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM32\NZDD.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.106-big.dll
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
    O4 - Global Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~5\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.106-big.dll/cmtrans.html
    O9 - Extra button: MaxManager (HKLM)
    O9 - Extra 'Tools' menuitem: &MaxManager (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: Sametime Meeting Toolkit ST25 - file://C:\WINDOWS\Java\ControlF1\STMeeting25.cab
    O16 - DPF: Serome Web2Phone - http://www.dialpad.com/applet/vscp.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcafee.com/molbin/Shared/MGBrwFld.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {23047A90-8511-11D2-87A5-20C252C10000} (McAfee Clinic TreeView Class) - http://download.mcafee.com/molbin/Shared/MGTree.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/3,0,0,24/mcinsctl.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/ProductUpdates/content/opuc.cab
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.25.152/code/PWActiveXImgCtl.CAB
    O16 - DPF: {6C636F50-7EB2-11D2-883C-CA8C113EA37E} (McAfee Clinic QuickClean Class) - http://download.mcafee.com/molbin/Clinic/Clean/QuickClean/MGqcctl.cab
    O16 - DPF: {70647AB5-18FD-4142-82B0-5852478DD0D4} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
    O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37882.3071875
    O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex/controls/WindowsMedia/downloadcontrol.cab
    O16 - DPF: {CDB74794-A3BA-4733-B6F6-59BF16D6C15A} (McAfee Smart Shop - Update Class) - http://download.mcafee.com/molbin/mcaeng/mcsmtshp.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.149/code/iPIX-ImageWell-ipix.cab

    Please let me know if I am ok or do I have something else going on?

    Oh and should I go back and check off hidden files (is that important)...this is in regards to when I was trying to find certain files and could not... you had suggested I go in and uncheck the hidden files...ok to put it back?

    Thanks so much,

    Emsmom
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    Please post a log of AVG.
    I think we will see that the virus is found in your Restore Points. They can do no harm there as long as you don't use System Restore.

    There is no need to turn off hidden files/folders showing.

    About the files on your desktop: are you using Adobe Photoshop?

    Regards,

    Pieter
     
  19. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Good Morning Pieter,
    Here is the log:

    Results of Complete Test, date and time 2/8/2004 4:39:55 :

    Testing C:\ serial 560E-7C2F
    C:\HIBERFIL.SYS Cannot open; not checked!
    C:\WINDOWS\PROFILES\All Users\Application Data\Microsoft\NETWORK\Downloader\QMGR0.DAT Cannot open; not checked!
    C:\WINDOWS\PROFILES\All Users\Application Data\Microsoft\NETWORK\Downloader\QMGR1.DAT Cannot open; not checked!
    C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Cannot open; not checked!
    C:\System Volume Information\_restore{B3CA58C1-A4EB-442E-8208-655761360F78}\RP315\A0024023.EXE repaired
    C:\Documents and Settings\EMSMOM\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\EMSMOM\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\EMSMOM\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\EMSMOM\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService\NTUSER.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Cannot open; not checked!
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!

    Test finished, duration 00:25:29.7 s
    33913 objects tested, 1 found infected

    Results of Complete Test, date and time 2/8/2004 4:39:55 :

    Adobe workshop is on my computer.

    Thank you,

    Emsmom
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi emsmom,

    C:\System Volume Information\_restore{B3CA58C1-A4EB-442E-8208-655761360F78}\RP315\A0024023.EXE repaired

    As I suspected. Turn off System Restore, reboot and enable System Restore. Then scan to make sure you are clean and create a manual Restore Point.
    More information on how to dis- and re-enable System Restore: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

    hpothb07 is a typical Adobe Photoshop filename, but I am not familiar enough with the program to know, why they end up on your desktop.

    Regards,

    Pieter
     
  21. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    How do I "create a manual Restore Point.?"
    I am a little nervous doing this whole procedure...but I am sure it is necessary.
    PLMK
    Sincerely,
    Emsmom
     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  23. emsmom

    emsmom Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    14
    Hi Pieter,
    This is probably a silly question. Is it important to use a particular name when entering a restore point description. is it ok to just use "Restore Point"?
    Once again I appreciate the time and effort you have put into helping me solve these issues.
    Regards,
    Emsmom
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Anything that will make you recognize it will do emsmom.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.