sites take 4ever to open and my computer takes just as long.
Many thanks!

Logfile of HijackThis v1.98.2
Scan saved at 8:29:07 AM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
C:\WINDOWS\System32\imapi.exe
C:\Program Files\Common Files\AOL\1124340605\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Accent\WNW\Wnw.exe
C:\Program Files\Common Files\Accent Shared\agtserv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Carrie_2\Desktop\Security\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [56wlA5n] C:\documents and settings\carrie\local settings\temp\56wlA5n.exe
O4 - HKLM\..\Run: [56wlA5n.exe] C:\documents and settings\carrie\local settings\temp\56wlA5n.exe
O4 - HKLM\..\Run: [rs7Q33O] odfskrnl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124340605\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [5YPC#4T4LRJR5E] C:\WINDOWS\System32\Jel377h.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [system license manager] lnsvc.exe
O4 - HKLM\..\RunServices: [system license manager] lnsvc.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system license manager] lnsvc.exe
O4 - Startup: WNW.lnk = C:\Program Files\Accent\WNW\Wnw.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.daniweb.com
O15 - Trusted Zone: http://*.equifax.com
O15 - Trusted Zone: www.*.intuit.com
O15 - Trusted Zone: www.*.shop.intuit.com
O15 - Trusted Zone: http://www.lesbisanation.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.queens.edu
O15 - Trusted Zone: http://www.sapppho.com
O15 - Trusted Zone: http://*.target.com
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: www.*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1145067128984

Hi Carrie,

It looks like you have a few malware issues.

--- Your HJT is an old version and outdated. Let's kill a few birds with one stone and do this:

Please follow the steps that I have written here and get an up-to-date copy of HJT. Be sure to rename it as instructed.


Please submit the three scanlogs requested in the link to this forum and we'll get you cleaned up!

1 - Kaspersky Log
2 - AVG Anti-Spy log (remember to "quarantine" and "Apply Actions" as indicated in my instructions)
3 - Fresh HJT Log

If you have any questions, feel free to ask.

Best Luck
PP

Hi P,
Well, I finally got through most of your instructions, cleaned whatever I could find and the result is uploaded in the attachments.

Thanks so much for you help. Your instructions helped me clean up quite a bit.

If you would take a look, I think we're down to the last few baddies.

tks
Carrie

Hi Carrie,

Looks like we have a bunch yet to do. But, we'll get there!

First and foremost, you really need to install a resident Anti-Virus app. I also suggest installing a Firewall as well.
http://free.grisoft.com/doc/2/lng/us/tpl/v5
http://dl2.zonelabs.com/bin/free/100...302_000_en.exe

Install Spyware Blaster, too!
http://www.javacoolsoftware.com/spywareblaster.html

All of the Above are FREE!!

-- You should definitely Update your Java here ---> http://www.java.com/en
-Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! If you do not uninstall ALL older versions, you may remain at risk for a number of baddies such as Vundo.
Do this now.

Also, when we are done, we will need to Flush System Restore – Don’t let me forget!

*** The AVG AntiSpy Log was not saved properly. We’ll run it again after these steps.
*** You have a lot of backdoor Trojans showing. They may have compromised any sensitive information on your computer (banking, passwords, etc...) – You might want to keep an eye on those or change them via a clean computer!


Anyhoo, off we go!
Please do these steps in the order given. Let me know if you have any questions.
You might want to print these steps or save them locally since you will have to reboot and be in Safe Mode.

-- Please Disable SpybotSD’s Tea Timer so it doesn’t interfere with the repair process.

-- Please make sure the Viewing of Hidden Files is Enabled.

-- I suggest you look in Add/Remove Programs and Uninstall Viewpoint / Viewpoint Manager unless you really want to keep it....

--- Download ATF-Cleaner.exe by Atribune to your Desktop. Just leave it for now . . .

--- Download DelDomains and save it to your Desktop. Then, RightClick DelDomains.inf and select Install. That’s all we are going to do with this one.


NEXT:
Please Scan with HijackThis, and check the boxes for the following items if they remain:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O4 - HKLM\..\Run: [rs7Q33O] odfskrnl.exe
O4 - HKLM\..\Run: [system license manager] lnsvc.exe
O4 - HKLM\..\RunServices: [system license manager] lnsvc.exe
O4 - HKCU\..\Run: [system license manager] lnsvc.exe

There is no reason for anything to be in Trusted Zone – DelDomains should have addressed this. If any remain, fix them.
O15 - Trusted Zone: http://www.apple.com
O15 - Trusted Zone: *.apple.com
O15 - Trusted Zone: http://*.bankofamerica.com
O15 - Trusted Zone: http://*.daniweb.com
O15 - Trusted Zone: http://*.equifax.com
O15 - Trusted Zone: www.*.intuit.com
O15 - Trusted Zone: www.*.shop.intuit.com
O15 - Trusted Zone: http://www.lesbisanation.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: *.queens.edu
O15 - Trusted Zone: http://www.sapppho.com
O15 - Trusted Zone: http://*.target.com
O15 - Trusted Zone: http://www.ticketmaster.com
O15 - Trusted Zone: www.*.turbotax.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://download.windowsupdate.com

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone

Fix this, if it remains after the Uninstall of Viewpoint
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Be sure All Browser Windows are Closed and then Click Fix Checked.


NEXT:
Please Boot to Safe Mode.
Use Windows Explorer to navigate to and DELETE these, if they remain.
Remember to ENABLE the Viewing of Hidden Files as I mentioned before.

C:\a.exe
C:\Documents and Settings\Admin\inetd.exe
C:\im.exe
C:\iMeshInst.exe
C:\WINDOWS\system32\aim.exe
C:\WINDOWS\system32\Asp5Wzh.exe
C:\WINDOWS\system32\Heh1MKe7.exe
C:\WINDOWS\system32\Ink640ww.exe
C:\WINDOWS\system32\Jel377h.exe
C:\WINDOWS\system32\KrwH5f.exe
C:\WINDOWS\system32\PlsO0A55.exe
C:\WINDOWS\system32\TktBtA.exe
C:\WINDOWS\system32\Tvi9.exe
C:\WINDOWS\system32\vsixksnw.dll
You’ll need to search for these two:
odfskrnl.exe
lnsvc.exe

NOW:
Run ATF Cleaner
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option (if you don’t want it to clean cookies, set it accordingly)
-- Click Empty Selected > OK > EXIT
This will flush TEMP files, etc... as well as clean the Java Cache.



LASTLY: I’d like to see fresh Scanlogs from:
1- Kaspersky
2- AVG Anti-Spyware
3- HijackThis


Let me know if you ran into any problems along the way.

Best Luck
PP

Hey P!Managed to get through these instructions without incidence. Thanks for making them so clear. I did remove the trusted sites, but have a problem (ie links don't open) with moving around within a site if the site is not listed in trusted. Drop downs for file selection such as to upload an attachment take eons to open. Not sure if related, but cd writer software doesn't recognize that a cd is inserted. Trying to think what else...Here are the new logs. Again, many thanks. Your help is greatly appreciated.

Happy to help!

Those problems do not make any sense with the steps we ran.
Sites should not have to be listed in the Trusted Zone for them to work properly
What is really wierd is that I am helping somebody in a different forum with a similar problem with uploading attachments in a few forums they visit..... Sounds like a javascript issue.....

Do This:
Please Update your Java here ---> http://www.java.com/en
Then, look in Add/Remove Programs and Remove ALL traces of any older Java versions! (jre1.5.0_04 and any others)
If you do not uninstall ALL older versions, you may remain at risk for a number of baddies.

Then, run ATF Cleaner again to flush the Java Cache.

-- You could try reinstalling the CD Writer software, but I do not think anything we did affected that....

I will double-check the logs when I get home tonight and we'll go from there.

PP

In addition to my previous post, you sould really do the following:




-- Otherwise, the new logs look OK (we'll still need to flush System Restore after we finish).
You should delete this baddie that was still found by Kaspersky:
C:\Documents and Settings\Carrie_2\inetd.exe -- Infected: Backdoor.Win32.IRCBot.gen
Or, is this something you recognize?


-- About the Trusted Zone:
Are your IE Security Settings set so high that you need to put these known sites into the Trusted Zone? Did you change those settings?

Let me know.

PP