avsystemcare.com, drivecleaner, spyware-secure and other popups

[Simon T]

Hi,

My wife's machine has suddenly been receiving lots of random popups for avsystemcare, drivecleaner.com and a popup javascript alert for spyware-secure that if you press the red close button cause other popups to be displayed in random succession. The only way to stop further popups is to kill iexplore.exe.

I ran all the pre-post checks and scans and followed the instructions choosing to install SUPERAntiSpyware. There were no problems identified with any of the checks. I have to say that we have Norton 360 on her PC that is fully up-to-date.

I also downloaded and ran RogueRemover (FREE) and that found no problems either. I don't think my wife (or my daughter) have clicked yes to install avsystemcare or other tools so I don't think they have been installed. Certainly, using symantecs definition of being infected with avsystemcare, none of the programs or registry keys it suggests will be installed are there on my machine. This has to be something else that is running that is throwing up these popups.

I could really do with some advice here as Norton I need to pay then

[JeanInMontana]

Hi Simon and welcome to Malwarebytes. Please set your system to show hidden files and folders.

To see hidden files:

1. On the Tools menu in Windows Explorer, click Folder Options.

2. Click the View tab.

3. Under Hidden files and folders, click Show hidden files and folders.

Note To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.

Run HiJack This! again and put a check next to this item:

C:\WINDOWS\system32\NOTEPAD.EXE

Now reboot into safe mode by tapping the F8 Key as soon as you hear the beep. Use Windows Explorer to navigate to, and delete the file below.

C:\WINDOWS\system32\NOTEPAD.EXE

Reboot into normal mode and using Internet Explorer go here http://www.pandasoftware.com/products/activescan.htm and run a full scan. Remove anything found and please post the log as a reply in this thread along with a new HJT log.

[Simon T]

Hi Jean,

I ran HJT again but I don't see notepad.exe in the list. Infact it doesn't list any of the running processes in the HJT GUI, it just lists them in the .log file.

Anyway, i believe Notepad was running last time, but I had a hijackthis.log file opened at the time I ran HJT.

Thanks

Simon

[JeanInMontana]

I'm sorry I don't know what you mean. You had a log file open when you ran HJT? Run a scan with the program and put a check next to the file listed in the post I made. It is listed in the log right above HiJack This. That is where you will see it in the scan also. Then follow the rest of the instructions you were given.

Edit to add: This is NOT the program notepad that comes with Windows. This is malware posing as notepad. The real file for notepad is not listed as all capitol letters.

Edited July 26, 2007 by JeanInMontana
To explain which file to look for.

[Simon T]

Hi,

What I mean is that when I ran HJT I had a log file opened from a previous HJT scan. I have run HJT again, but do not see NOTEPAD.EXE in either the log that opens, nor in the HJK program itself.

The results of my HJT scan are below. What i was also trying to explain was that at the very top of the log file it lists running proceses. But in the HJT program itself, it does not list any running processes. All it lists (with checkboxes) are Reg Keys, BHOs, and services. Do i need to change any settings to be able to see running processes in HJT gui in order to put a checkbox against something?

Results of last HJT scan:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:24:14, on 26/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&...&channel=uk

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - https://dbrasweb-ha1.uk.db.com/llclient/dbr...java+AXXPEE.dll

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{263AF750-26A8-487E-BC4F-749885C49852}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS1\Services\Tcpip\..\{263AF750-26A8-487E-BC4F-749885C49852}: NameServer = 212.104.130.9,212.104.130.65

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 10312 bytes

[JeanInMontana]

Did you run the Panda scan? I need to see that log and a new HJT log. When you run HJT to save a log, have all browser windows and programs closed.

[JeanInMontana]

Simon you are correct the process doesn't show in the scan, it is viewable and removable in the Misc functions. But first please run the Panda scan and post that log and a new HJT with all browsers and programs closed. I'm hoping it will reveal and/or remove the infection behind your popups. It isn't evident in HJT at this time.

[Simon T]

Hi, many thanks for your help!

The panda report said it found 0 viruses and 91 spyware risks, but couldn't fix them:

Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Henry\Cookies\henry@247realmedia[2].txt

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Henry\Cookies\henry@2o7[1].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Henry\Cookies\henry@adrevolver[2].txt

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Henry\Cookies\henry@ads.pointroll[1].txt

Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Henry\Cookies\henry@adtech[2].txt

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Henry\Cookies\henry@adultfriendfinder[2].txt

Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Henry\Cookies\henry@advertising[2].txt

Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Henry\Cookies\henry@adviva[2].txt

Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Henry\Cookies\henry@anm.co[1].txt

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Henry\Cookies\henry@apmebf[1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Henry\Cookies\henry@atdmt[1].txt

Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Henry\Cookies\henry@azjmp[2].txt

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Henry\Cookies\henry@bluestreak[1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Henry\Cookies\henry@bs.serving-sys[2].txt

Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Henry\Cookies\henry@burstnet[2].txt

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Henry\Cookies\henry@c5.zedo[2].txt

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Henry\Cookies\henry@casalemedia[1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Henry\Cookies\henry@cgi-bin[5].txt

Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Henry\Cookies\henry@clickbank[1].txt

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Henry\Cookies\henry@com[1].txt

Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Henry\Cookies\henry@counter.hitslink[1].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Henry\Cookies\henry@doubleclick[1].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Henry\Cookies\henry@drivecleaner[1].txt

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Henry\Cookies\henry@errorsafe[2].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Henry\Cookies\henry@fastclick[1].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Henry\Cookies\henry@go.winantispyware[2].txt

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Henry\Cookies\henry@go[1].txt

Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Henry\Cookies\henry@hotlog[2].txt

Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Henry\Cookies\henry@i.screensavers[2].txt

Spyware:Cookie/Itrack Not disinfected C:\Documents and Settings\Henry\Cookies\henry@ilead.itrack[1].txt

Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Henry\Cookies\henry@media.adrevolver[2].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Henry\Cookies\henry@media.fastclick[2].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Henry\Cookies\henry@mediaplex[1].txt

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Henry\Cookies\henry@overture[2].txt

Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Henry\Cookies\henry@perf.overture[1].txt

Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Henry\Cookies\henry@qksrv[2].txt

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Henry\Cookies\henry@questionmarket[2].txt

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Henry\Cookies\henry@server.iad.liveperson[1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Henry\Cookies\henry@serving-sys[1].txt

Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Henry\Cookies\henry@spylog[1].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Henry\Cookies\henry@statcounter[1].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Henry\Cookies\henry@stats.drivecleaner[2].txt

Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\Henry\Cookies\henry@stats1.clicktracks[2].txt

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Henry\Cookies\henry@stats1.reliablestats[1].txt

Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Henry\Cookies\henry@statse.webtrendslive[2].txt

Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Henry\Cookies\henry@targetnet[1].txt

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Henry\Cookies\henry@toplist[2].txt

Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Henry\Cookies\henry@tradedoubler[1].txt

Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Henry\Cookies\henry@trafficmp[2].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Henry\Cookies\henry@tribalfusion[1].txt

Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Henry\Cookies\henry@weborama[2].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Henry\Cookies\henry@winantispyware[1].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Henry\Cookies\henry@winantivirus[2].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Henry\Cookies\henry@www.drivecleaner[2].txt

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Henry\Cookies\henry@www.errorsafe[1].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Henry\Cookies\henry@www.winantivirus[1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Henry\Cookies\henry@www3.addfreestats[1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Henry\Cookies\henry@www5.addfreestats[2].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Henry\Cookies\henry@xiti[1].txt

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Henry\Cookies\henry@zedo[2].txt

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mary\Cookies\mary@2o7[2].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mary\Cookies\mary@ad.yieldmanager[2].txt

Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Mary\Cookies\mary@adultfriendfinder[1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mary\Cookies\mary@atdmt[2].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mary\Cookies\mary@bs.serving-sys[1].txt

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mary\Cookies\mary@c5.zedo[1].txt

Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Mary\Cookies\mary@casalemedia[2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mary\Cookies\mary@doubleclick[1].txt

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mary\Cookies\mary@errorsafe[1].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Mary\Cookies\mary@fastclick[1].txt

Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Mary\Cookies\mary@i.screensavers[1].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mary\Cookies\mary@mediaplex[1].txt

Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mary\Cookies\mary@questionmarket[1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mary\Cookies\mary@serving-sys[2].txt

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Mary\Cookies\mary@stats1.reliablestats[2].txt

Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mary\Cookies\mary@toplist[1].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mary\Cookies\mary@tribalfusion[1].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Mary\Cookies\mary@winantivirus[1].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Mary\Cookies\mary@www.winantivirus[1].txt

Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Mary\Cookies\mary@www5.addfreestats[1].txt

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Mary\Cookies\mary@xiti[1].txt

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mary\Cookies\mary@zedo[1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@ad.yieldmanager[2].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@drivecleaner[1].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@fastclick[2].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@go.drivecleaner[1].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@mediaplex[1].txt

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@stats.drivecleaner[2].txt

Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@stats1.reliablestats[1].txt

Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@tradedoubler[2].txt

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@winantivirus[1].txt

Adware:Adware/NaviPromo Not disinfected C:\Program Files\InternetGameBox\InternetGameBox.exe

Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\Program Files\InternetGameBox\uninst.exe

Adware:Adware/Comet Not disinfected C:\Program Files\Screensavers.com\SSSInst\bin\sinstaller2.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\sys\VirtumundoBeGone.exe

Here is the HJT report run just after, with all windows closed:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 06:34:54, on 27/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&...&channel=uk

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.pandasoftware.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - https://dbrasweb-ha1.uk.db.com/llclient/dbr...java+AXXPEE.dll

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{263AF750-26A8-487E-BC4F-749885C49852}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS1\Services\Tcpip\..\{263AF750-26A8-487E-BC4F-749885C49852}: NameServer = 212.104.130.9,212.104.130.65

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 10420 bytes

[JeanInMontana]

Panda shows why you have the popups.

Adware:Adware/NaviPromo Not disinfected C:\Program Files\InternetGameBox\InternetGameBox.exe

Potentially unwanted tool:Application/InternetGameBox Not disinfected C:\Program Files\InternetGameBox\uninst.exe

Adware:Adware/Comet Not disinfected C:\Program Files\Screensavers.com\SSSInst\bin\sinstaller2.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\sys\VirtumundoBeGone.exe

Go to Add/Remove Programs and uninstall InternetGame Box and Screensavers from Comet

Then boot into safe mode and find these files C:\Program Files\InterenetGameBox and Screensavers.com\SSSinst\bin\sinstaller2.exe and C:\Program Files\InternetGameBox\InternetGameBox.exe If you can't find them get this program:

http://download.bleepingcomputer.com/spyware/KillBox.exe

Author: Option^Explicit

License: Freeware

Operating System: Windows

File Description:

Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

Did you install this... C:\sys\VirtumundoBeGone.exe ? If so did you use it?

Let me know how getting rid of those files works and run a new scan with SuperAntiSpyware and have it remove what it finds. All those cookies should have been removed when you ran it the first time. RogueRemover will also remove several of the Rogue cookies I see, if you run the cookie scan.

[JeanInMontana]

Simon? What is the status of this, please?

[Simon T]

Hi,

Sorry for the delay I was away yesterday.

I followed your advice, and uninstalled both programs and deleted virtumundobegone.exe ( i never installed/used this). After various pando and SUPERAntiSpyware scans I they are reporting no problems, except for a few cookies. But this is not true as I am still getting the popups. I think these cookies are present from the continuous avsystemcare popups were are still getting. I have uploaded some screen shots of the various popups we are getting:

http://www.mimitee.com/popup1.JPG, http://www.mimitee.com/popup2.JPG, http://www.mimitee.com/popup3.JPG

My last HJT log is below:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:32:23, on 28/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&...&channel=uk

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.pandasoftware.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - https://dbrasweb-ha1.uk.db.com/llclient/dbr...java+AXXPEE.dll

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{263AF750-26A8-487E-BC4F-749885C49852}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS1\Services\Tcpip\..\{263AF750-26A8-487E-BC4F-749885C49852}: NameServer = 212.104.130.9,212.104.130.65

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 10382 bytes

[JeanInMontana]

Hi Simon. I just didn't want you to think we were done. I was hoping deleting the files would take care of it, but it didn't, as you know. This is something new because nothing is detecting it yet. Thanks for your patience. We will beat this!

Let's run this tool here http://siri.urz.free.fr/Fix/SmitfraudFix_En.php Follow the instructions carefully, you should print them or save to a notepad file, as you will be off line and no access to the site. When you finish post a fresh HJT log please and the Smit Fraud log.

[Simon T]

hi,

This is the result of the SmitfraudFix scan as well as the HJT log. I don't think it found anything as I'm still getting popups as I write this:

SmitFraudFix v2.207

Scan done at 10:18:22.56, 29/07/2007

Run from C:\HJT\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

[JeanInMontana]

Good morning Simon.

Print these instructions or save to a notepad file as you need to have all browsers closed and be off line.

Download SDFix by Andy Manchesta and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer

* After hearing your computer beep once during startup, but before the

Windows icon appears, tap the F8 key continually;

* Instead of Windows loading as normal, the Advanced Options Menu should

appear;

* Select the first option, to run Windows in Safe Mode, then press

Enter.

* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start

the script.

* Type Y to begin the cleanup process.

* It will remove any Trojan Services and Registry Entries that it finds

then prompt you to press any key to Reboot.

* Press any Key and it will restart the PC.

* When the PC restarts the Fixtool will run again and complete the

removal process then display Finished, press any key to end the script and

load your desktop icons.

* Once the desktop icons load the SDFix report will open on screen and

also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on

the forum).

* Finally paste the contents of the Report.txt back on the forum.

We will see what this tool finds. Nothing shows in the HJT log. If after SDFix you are still having popups please run the Panda scan again and post that log. It did show the files. If we know where they are hiding I can find a tool easier.

[Simon T]

Hi

SDFix didn't find anything I don't think (i followed instructions explicitly), but Panda did and I am still getting the popups.

Here's the SDFix report:

SDFix: Version 1.94

Run by mummy on 29/07/2007 at 17:46

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting...

Normal Mode:

Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

C:\WINDOWS

No streams found.

C:\WINDOWS\system32

No streams found.

C:\WINDOWS\system32\svchost.exe

No streams found.

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

Final Check:

Remaining Services:

------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"

"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"

"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:

---------------

Files with Hidden Attributes:

C:\Documents and Settings\mummy\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe

C:\Documents and Settings\Simon\Local Settings\Temp\Juniper Networks\setup\NeoterisSetupApp.exe

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe

C:\Documents and Settings\mummy\NTUSER.DAT.COPY.TMP.LOG

C:\Documents and Settings\Ruthie\NTUSER.DAT.COPY.TMP.LOG

C:\Documents and Settings\Ruthie\Application Data\Microsoft\Word\~WRL0004.tmp

C:\Documents and Settings\Ruthie\Application Data\Microsoft\Word\~WRL0005.tmp

C:\Documents and Settings\Ruthie\My Documents\~WRL2798.tmp

C:\Documents and Settings\Simon\NTUSER.DAT.COPY.TMP.LOG

C:\Documents and Settings\Simon\Application Data\Microsoft\Word\~WRL2923.tmp

Finished

Here's the Panda report:

Incident Status Location

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mary\Cookies\mary@errorsafe[1].txt

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@ad.yieldmanager[1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@atdmt[1].txt

Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@clickbank[1].txt

Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@fastclick[2].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@mediaplex[1].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@statcounter[1].txt

Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@tribalfusion[1].txt

Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mummy\Cookies\mummy@zedo[1].txt

Potentially unwanted tool:Application/Processor Not disinfected C:\HJT\SDFix.exe[sDFix\apps\Process.exe]

Potentially unwanted tool:Application/Processor Not disinfected C:\HJT\SmitfraudFix\Process.exe

Potentially unwanted tool:Application/SuperFast Not disinfected C:\HJT\SmitfraudFix\restart.exe

Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe

[JeanInMontana]

Panda only found some cookies and the SmitFraud tool. Not what we are looking for unfortunately.

http://www.geekstogo.com/forum/index.php?a...amp;showfile=19 Please download the file here at the very bottom of the page. Follow all directions carefully.

This tool is compatible with Windows 2000 and up (that includes Vista).

Download a single executable and run it. ComboScan gives your standard warnings, then does the following (in order):

1. Logs if the computer is in Normal Mode, Safe Mode, or Safe Mode with Networking. No more guessing!

2. Creates a restore point (Normal Mode XP and Vista only). Will try to re-enable System Restore if it was disabled.

3. Cleans Temporary Files, Downloaded Program Files, Internet Cache Files, and empties the Recycle Bin on all drives.

4. Searches for HijackThis on the system. If it cannot find it, it will ask the user permission to download a copy from greyknight17.com. The user also has the option of telling ComboScan where their copy of HijackThis is if they have already downloaded it.

5. Renames HijackThis based on the login name and gets a log using the /autolog parameter, closing both HijackThis and the Notepad without requiring interaction from the user.

6. Lists out HJT entries that the user has hidden.

7. Lists out HJT backups.

8. Dumps file associations (similar to SREng) and will highlight in red if something doesn't match up.

9. Dumps drivers (whitelisted) and tests for pe386/Rustock.

10. Dumps services (again, whitelisted).

11. Dumps the Scheduled Tasks folder.

12. Prints files created in the past 30 days and files modified in the past 90 days, similar to ComboFix.

13. Dumps various registry load points with whitelist (very similar to ComboFix).

14. Gets basic system information, such as number of CPUs, memory usage, drive information (filesystem type, space).

15. Dumps Security Center information (if appropriate).

16. Dumps DOS environment variables.

17. Lists all user profiles on the system (and says which are administrative accounts).

18. Dumps Add/Remove programs, looking in both HKLM and HKCU. Common Microsoft entries are whitelisted.

19. Turns off word wrap in Notepad.

20. Unhides files and shows extensions.

21. Opens the logs in Notepad for the user to post.

In all, it takes anywhere from 1-5 minutes to do all the above, depending on the system.

ComboScan produces two logs. The primary log contains everything up to and including the registry dump, and the supplementary log contains everything else. You can find both logs in C:\ComboScan.

Some additional notes:

If ComboScan downloads and installs HijackThis, installs it as %PROGRAMFILES%\HijackThis\HijackThis.exe and creates a shortcut on the Desktop.

If ComboScan cannot download HijackThis and there is no local copy of HijackThis for ComboScan to use, ComboScan will produce a HijackThis-esque log. You will still need to install HijackThis or you will need to manually fix the system as ComboScan does not provide this ability.

There is a command switch, /config, that will allow you to pick and choose which modules you want ComboScan to use.

When ComboScan is run for the first time, it will produce a full set of logs. Each subsequent run will only produce a HijackThis log along with a file and registry dump (no restore point or cleanup is performed). If you want something else -- like the driver dump -- you will need to run ComboScan with /config. If you download and run a newer copy of ComboScan, it will produce a full set of logs again the first time the new copy is run.

Don't expect this to fix your system. I need the logs to find what is hiding. Then we go after it. The logs will be quite long if you can't post them both into one post that's fine, just be sure to post both please.

[Simon T]

Hi Jean,

Here the results of the scans. Also just an observation, everytime I go to this forum topic I get a popup to install AVSystemCare so it must be monitoring all the websites I go to.

Main.txt:

Deckard's System Scanner v20070729.57

Run by mummy on 2007-07-31 at 21:37:20

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

32: 2007-07-31 20:37:39 UTC - RP32 - Deckard's System Scanner Restore Point

31: 2007-07-30 20:57:10 UTC - RP31 - System Checkpoint

30: 2007-07-29 09:46:56 UTC - RP30 - System Checkpoint

29: 2007-07-27 22:28:00 UTC - RP29 - Removed SHReK the THiRD

28: 2007-07-27 05:56:03 UTC - RP28 - System Checkpoint

-- First Restore Point --

1: 2007-06-19 09:48:41 UTC - RP1 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as mummy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:25:39, on 29/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&...&channel=uk

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.pandasoftware.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} - https://dbrasweb-ha1.uk.db.com/llclient/dbr...java+AXXPEE.dll

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{263AF750-26A8-487E-BC4F-749885C49852}: NameServer = 212.104.130.9,212.104.130.65

O17 - HKLM\System\CS1\Services\Tcpip\..\{263AF750-26A8-487E-BC4F-749885C49852}: NameServer = 212.104.130.9,212.104.130.65

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 9839 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys

R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys

S2 Nbf (NetBEUI Protocol) - c:\windows\system32\drivers\nbf.sys (file missing)

S3 CO_Mon - c:\windows\system32\drivers\co_mon.sys

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

-- Scheduled Tasks -------------------------------------------------------------

2007-07-27 18:30:00 350 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (MIMIFIFI-mummy).job

2007-07-23 11:51:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

2007-05-30 17:57:34 402 --ah----- C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job

-- Files created between 2007-06-30 and 2007-07-31 -----------------------------

2007-07-29 18:17:31 8576 --a------ C:\WINDOWS\system32\drivers\wintbdtrsnvt.sys <Not Verified; Panda Software International; RKPavProc Driver>

2007-07-29 17:45:40 0 d-------- C:\WINDOWS\ERUNT

2007-07-29 10:14:13 2980 --a------ C:\WINDOWS\system32\tmp.reg

2007-07-27 23:43:57 0 d-------- C:\!KillBox

2007-07-26 21:01:36 0 d-------- C:\WINDOWS\system32\ActiveScan

2007-07-26 02:26:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com

2007-07-26 02:17:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities

2007-07-26 02:17:58 0 d--h----- C:\Documents and Settings\Administrator\Application Data\Gtek

2007-07-26 02:17:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\Corel

2007-07-26 02:17:58 0 d-------- C:\Documents and Settings\Administrator\Application Data\AOL

2007-07-26 02:17:57 0 dr------- C:\Documents and Settings\Administrator\Favorites

2007-07-26 02:17:57 0 d-------- C:\Documents and Settings\Administrator\Desktop

2007-07-26 02:17:57 0 d--hs---- C:\Documents and Settings\Administrator\Cookies

2007-07-26 02:17:57 0 dr-h----- C:\Documents and Settings\Administrator\Application Data

2007-07-26 02:17:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver

2007-07-26 02:17:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec

2007-07-26 02:17:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\Sun

2007-07-26 02:17:57 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft

2007-07-26 02:17:56 0 d--h----- C:\Documents and Settings\Administrator\NetHood

2007-07-26 02:17:56 0 dr------- C:\Documents and Settings\Administrator\My Documents

2007-07-26 02:17:56 0 d--h----- C:\Documents and Settings\Administrator\Local Settings

2007-07-26 02:17:55 0 d--h----- C:\Documents and Settings\Administrator\Templates

2007-07-26 02:17:55 0 dr------- C:\Documents and Settings\Administrator\Start Menu

2007-07-26 02:17:55 0 dr-h----- C:\Documents and Settings\Administrator\SendTo

2007-07-26 02:17:55 0 dr-h----- C:\Documents and Settings\Administrator\Recent

2007-07-26 02:17:55 0 d--h----- C:\Documents and Settings\Administrator\PrintHood

2007-07-26 02:17:53 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

2007-07-26 02:09:08 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2007-07-26 02:08:37 0 d-------- C:\Program Files\SUPERAntiSpyware

2007-07-26 02:08:36 0 d-------- C:\Documents and Settings\mummy\Application Data\SUPERAntiSpyware.com

2007-07-26 02:08:09 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-07-26 02:05:10 0 d-------- C:\Downloads

2007-07-26 02:05:10 0 d-------- C:\Bases

2007-07-26 02:01:44 0 d-------- C:\Kaspersky

2007-07-26 01:47:05 0 d-------- C:\HJT

2007-07-26 01:43:11 0 d-------- C:\Program Files\RogueRemover

2007-07-23 14:47:30 0 d-------- C:\Program Files\iPod

2007-07-23 14:47:14 0 d-------- C:\Program Files\iTunes

2007-07-19 19:25:58 0 d-------- C:\WINDOWS\system32\LogFiles

2007-07-15 10:58:15 0 d-------- C:\Program Files\Activision

2007-07-15 10:47:37 0 d--hs---- C:\WINDOWS\ftpcache

2007-07-09 14:49:36 0 d-------- C:\Program Files\Common Files\Apple

2007-07-09 14:49:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple

-- Find3M Report ---------------------------------------------------------------

2007-07-31 09:38:59 0 d-------- C:\Program Files\Mozilla Thunderbird

2007-07-29 19:06:11 0 d-------- C:\Program Files\Norton 360

2007-07-29 19:01:07 0 d-------- C:\Program Files\Google

2007-07-29 19:01:06 0 d-------- C:\Program Files\Digital Line Detect

2007-07-29 19:00:04 0 d-------- C:\Program Files\Common Files\Symantec Shared

2007-07-28 18:46:22 0 d-------- C:\Program Files\MSN Messenger

2007-07-26 02:08:09 0 d-------- C:\Program Files\Common Files

2007-07-23 14:37:04 0 d-------- C:\Program Files\QuickTime

2007-07-15 10:59:48 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-06-20 00:27:01 0 d-------- C:\Documents and Settings\mummy\Application Data\Symantec

2007-06-19 21:15:29 0 d-------- C:\Program Files\The Learning Company

2007-06-18 22:18:29 2102 --a------ C:\WINDOWS\system32\zfkxwg_navps.dat

2007-06-18 22:17:46 6690 --a------ C:\WINDOWS\system32\zfkxwg.dat

2007-06-18 21:52:38 0 d-------- C:\Program Files\Symantec

2007-06-17 16:04:32 0 d-------- C:\Program Files\Harry Potter Creative CD

2007-06-13 05:52:23 0 d-------- C:\Documents and Settings\mummy\Application Data\DeepBurner

2007-06-13 05:24:04 0 d-------- C:\Program Files\Astonsoft

2007-05-31 15:50:54 0 d-------- C:\Program Files\Kelloggs Art Attack

2007-05-31 09:32:09 29696 --a------ C:\WINDOWS\mickey32.dll <Not Verified; MacSourcery; Mickey DLL>

2007-05-31 09:32:09 362880 --a------ C:\WINDOWS\Bobsaver.scr <Not Verified; MacSourcery; ScreenTime for Flash>

2007-05-31 09:32:09 638428 --a------ C:\WINDOWS\Bobsaver.exe <Not Verified; Macromedia, Inc.; Shockwave Flash>

2007-05-25 12:26:00 262293 --a------ C:\WINDOWS\system32\zfkxwg_nav.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [14/10/2005 20:49]

"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [14/10/2005 20:46]

"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [14/10/2005 20:50]

"SigmatelSysTrayApp"="stsystra.exe" [24/03/2006 23:30 C:\WINDOWS\stsystra.exe]

"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/03/2006 18:48]

"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [19/12/2005 15:08]

"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [08/09/2005 05:20]

"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [03/11/2005 10:12]

"snp2std"="C:\WINDOWS\vsnp2std.exe" [16/08/2005 21:54]

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [15/03/2007 04:10]

"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [12/03/2007 18:30]

"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 23:46]

"byidsn"="c:\windows\system32\byidsn.exe" [28/07/2007 17:07]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/06/2007 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" []

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [29/05/2007 21:55]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [19/01/2007 12:54]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [01/08/2006 00:16:04]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 21:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2007-07-31 at 21:40:06 ---------

Exra.txt:

Deckard's System Scanner v20070729.57

Extra logfile - please post this as an attachment with your post.

--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0

Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1.60GHz

Percentage of Memory in Use: 81%

Physical Memory (total/avail): 503.37 MiB / 94.41 MiB

Pagefile Memory (total/avail): 1228.72 MiB / 911.17 MiB

Virtual Memory (total/avail): 2047.88 MiB / 1965.63 MiB

C: is Fixed (NTFS) - 52.68 GiB total, 32.81 GiB free.

D: is Fixed (NTFS) - 18.61 GiB total, 16.28 GiB free.

E: is CDROM (No Media)

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.

Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton 360 v2007 (SYMANTEC Corporation)

AV: Norton 360 v2007 (SYMANTEC Corperation)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"

"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"

"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"

"C:\\Program Files\\AOL 9.0\\waol.exe"="C:\\Program Files\\AOL 9.0\\waol.exe:*:Enabled:AOL"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\mummy\Application Data

CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip

CLIENTNAME=Console

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=MIMIFIFI

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\mummy

LOGONSERVER=\\MIMIFIFI

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\QuickTime\QTSystem\

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel

PROCESSOR_LEVEL=6

PROCESSOR_REVISION=0d08

ProgramFiles=C:\Program Files

PROMPT=$P$G

QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip

SESSIONNAME=Console

SonicCentral=C:\Program Files\Common Files\Sonic Shared\Sonic Central\

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\mummy\LOCALS~1\Temp

TMP=C:\DOCUME~1\mummy\LOCALS~1\Temp

USERDOMAIN=MIMIFIFI

USERNAME=mummy

USERPROFILE=C:\Documents and Settings\mummy

windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

mummy (admin)

Ruthie

Henry

Mary

Simon (admin)

Administrator (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {075473F5-846A-448B-BCB3-104AA1760205}

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {AB708C9B-97C8-4AC9-899B-DBF226AC9382}

--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {B12665F4-4E93-4AB4-B7FC-37053B524629}

--> Dummy

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}

Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"

Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete

Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}

Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log

Adobe

[JeanInMontana]

I think we have it! Simon it is possibly monitoring every key stroke you make. That is why you much change all passwords for all accounts at any web site with sensitive data, banking, bill paying etc.

rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf Look for the bolded file and delete it if found. Also look in Add/Remove programs to see if you installed PCHealth, do this first before deleting the file if it's there uninstall it. If you can't find the file follow the instructions below.

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

While your in Add/Remove uninstall your way outdated and dangerous Adobe Reader. The current version is 8 what your using is a security risk. Let me know how this works.

[Simon T]

Hi Jean,

Thanks for your reply. Yes I found the file and deleted it. However it confused me as the date modified was sometime in 2004 along with a load of other files. I also noted there was a pchealth directory under c:\windows with loads of directories and files in it. We never installed pchealth so I wonder if it was already there from this Dell laptop prebuild ghost image.

Anyway, the popups are still occuring now whilst I am typing this.

Back to the drawing board?

Regard

Simon

[JeanInMontana]

I'm consulting with someone much more experienced. I will let you know what he says.

[JeanInMontana]

OK Simon, fresh eyes on your logs and bigger brain.

We need you to scan the following files at this site http://www.virustotal.com/

C:\WINDOWS\system32\zfkxwg_nav.dat

C:\WINDOWS\system32\zfkxwg_navps.dat

C:\WINDOWS\system32\zfkxwg.dat

c:\windows\system32\byidsn.exe

c:\windows\system32\drivers\co_mon.sys

C:\WINDOWS\system32\tmp.reg

Download GMER from here:

http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe

Click the rootkit-tab and click scan.

Once done, click the Copy button.

This will copy the results to clipboard.

Paste the results in your next reply.

If you're having problems with running GMER.exe, try it in safe mode.

This tools works in safe mode.. other rootkitrevealers don't.

Then run a full scan with http://free.grisoft.com/doc/28415/lng/us/tpl/v5.

Post a new HJT log. Also be sure to let me know what the Virus Total scan says and the others.

[Simon T]

hi Jean,

I have scanned 4 of the files so far, but have to go to work so will do the rest tonight as well as GMER scan, but thought I would mention that the file:

c:\windows\system32\byidsn.exe

had the following results, all others were clean so far:

Antivirus Version Last Update Result

AhnLab-V3 2007.7.31.1 2007.08.01 -

AntiVir 7.4.0.54 2007.07.31 HEUR/Malware

Authentium 4.93.8 2007.07.31 -

Avast 4.7.1029.0 2007.07.31 -

AVG 7.5.0.476 2007.07.31 -

BitDefender 7.2 2007.08.01 -

CAT-QuickHeal 9.00 2007.07.31 (Suspicious) - DNAScan

ClamAV 0.91 2007.08.01 -

DrWeb 4.33 2007.07.31 -

eSafe 7.0.15.0 2007.07.31 -

eTrust-Vet 31.1.5021 2007.08.01 -

Ewido 4.0 2007.07.31 -

FileAdvisor 1 2007.08.01 -

Fortinet 2.91.0.0 2007.08.01 -

F-Prot 4.3.2.48 2007.07.31 -

F-Secure 6.70.13030.0 2007.07.31 -

Ikarus T3.1.1.8 2007.08.01 -

Kaspersky 4.0.2.24 2007.08.01 -

McAfee 5087 2007.07.31 -

Microsoft 1.2704 2007.08.01 -

NOD32v2 2430 2007.07.31 -

Norman 5.80.02 2007.07.31 -

Panda 9.0.0.4 2007.08.01 -

Rising 19.34.21.00 2007.08.01 -

Sophos 4.19.0 2007.08.01 -

Sunbelt 2.2.907.0 2007.07.31 -

Symantec 10 2007.08.01 -

TheHacker 6.1.7.160 2007.08.01 -

VBA32 3.12.2.2 2007.07.31 -

VirusBuster 4.3.26:9 2007.07.31 -

Webwasher-Gateway 6.0.1 2007.08.01 Heuristic.Malware

[JeanInMontana]

That makes me think I am correct in thinking you have a new variant, since it is not well detected. I know your probably sick of scans and file submissions, but we have just implemented a file upload system. A new program is being developed also and submissions will be great to build the data base plus we might just cure you. http://uploads.malwarebytes.org/ If you want to submit all those there too it would be wonderful.

[JeanInMontana]

Simon?

[JeanInMontana]

Due to lack of response I'm closing this thread. If you wish to continue with cleaning your machine send me a PM and I will reopen this thread.