Scansy Posted February 19, 2008 ID:13379 Share Posted February 19, 2008 Hello all. I have been experiencing annoying pop-ups (even with pop-blockers in use). They have been for all kinds of stuff, including warnings about virus threats so download our software, etc. Norton is finding regular attacks from Downloader.MisleadApp and stopping them. The problems started shortly after I upgraded to Norton Internet Security 2008 (from 2007).Here is my Hijackthis log.Thanks in advance for any help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:32:19 PM, on 2/19/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\System32\WFXSVC.EXEC:\Program Files\WinFax\WFXMOD32.EXEC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\BCMSMMSG.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\Creative\SBLive\Diagnostics\diagent.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeC:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exeC:\PROGRA~1\WinFax\WFXSWTCH.exeC:\WINDOWS\system32\wfxsnt40.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\Program Files\SmartDisk\FlashPath\sdstat.exeC:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\WINDOWS\system32\mrtMngr.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\Program Files\Common Files\Symantec Shared\Privacy Control\ccEmFlSv.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywayR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {5B8D7726-E61D-403D-B9C4-FB30463806Eb} - C:\WINDOWS\system32\pplywarx.dllO2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dllO2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\gebyy.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO2 - BHO: (no name) - {B8C5186E-EC37-4889-9C2E-F73649FFB7BB} - C:\Program Files\Video ActiveX Access\iesplg.dll (file missing)O2 - BHO: (no name) - {F2FA09FB-EE7A-46d8-9145-A1EEF7850052} - C:\WINDOWS\system32\mlljj.dll (file missing)O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startupO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exeO4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exeO4 - HKLM\..\Run: [crqh32.exe] C:\WINDOWS\system32\crqh32.exeO4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exeO4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exeO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\PAULSC~1\LOCALS~1\Temp\winlogon.exeO4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exeO4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video ActiveX Access\imsmain.exeO4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exeO4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exeO4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exeO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZZO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cabO16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cabO16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cabO16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cabO16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocxO16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocxO16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocxO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/6512bd/games/files...aploader_v6.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...379/mcfscan.cabO16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocxO18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\SYSTEM32\hsppp.dllO20 - Winlogon Notify: gebyy - C:\WINDOWS\system32\gebyy.dllO20 - Winlogon Notify: mlljj - mlljj.dll (file missing)O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exeO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: hpdj - Unknown owner - C:\DOCUME~1\PAULSC~1\LOCALS~1\Temp\hpdj.exe (file missing)O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXEO23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXEO23 - Service: Remote Procedure Call (RPC) Helper ( Link to post Share on other sites More sharing options...
JeanInMontana Posted February 19, 2008 ID:13380 Share Posted February 19, 2008 Hi Scansy and welcome to Malwarebytes. Please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 Link to post Share on other sites More sharing options...
Scansy Posted February 20, 2008 Author ID:13464 Share Posted February 20, 2008 Thanks Jean. I will do all of that first. Link to post Share on other sites More sharing options...
Scansy Posted February 20, 2008 Author ID:13476 Share Posted February 20, 2008 Here is the Malwarebytes log. I'll run the pandaactivescan nextMalwarebytes' Anti-Malware 1.04Database version: 385Scan type: Full Scan (A:\|C:\|D:\|)Objects scanned: 200005Time elapsed: 1 hour(s), 47 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 21Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 1Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\malwarealarm.webinstall (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\malwarealarm.webinstall.1 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{7543fbd5-2279-4d03-8f29-eb21531fa2fe} (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\ntservice.control.1 (BackDoor.Dimpy) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{e7bc34a3-ba86-11cf-84b1-cbc2da68bf6c} (BackDoor.Dimpy) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\atldistrib.atldistrib (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\atldistrib.atldistrib.1 (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\4301aebd288588a40833184cfec0af92 (Adware.UUSee) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4301aebd288588a40833184cfec0af92 (Adware.UUSee) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4301aebd288588a40833184cfec0af92 (Adware.UUSee) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\AppID\{4a3d609a-43b8-4406-b793-84f244246325} (Rogue.Multiple) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{ad8ec84e-600f-11d6-aec4-0000c0a675b5} (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{ad8ec852-600f-11d6-aec4-0000c0a675b5} (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{2137dab8-b070-11d2-ba72-0020afdd8935} (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{2137dabb-b070-11d2-ba72-0020afdd8935} (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\AppID\webinst.dll (Rogue.Multiple) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:C:\DOCUME~1\Paul Scansaroli\LOCALS~1\Temp\NI.UGA6P_0001_N120M1710 (Rogue.Multiple) -> Quarantined and deleted successfully.Files Infected:C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\NI.UGA6P_0001_N120M1710\settings.ini (Rogue.Multiple) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\basex232.dll (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\SYSTEM32\basex32.dll (Trojan.Downloader) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Scansy Posted February 21, 2008 Author ID:13509 Share Posted February 21, 2008 Here is the pandaactivescan logNow I will move on to the hijack this scanIncident Status Location Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UGA6P_0001_N120M1710NetInstaller.exe Adware:adware/wupd Not disinfected c:\program files\Windows AdStatus Dialer:dialer.bb Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\run\tibs5 Virus:trj/downloader.coy Disinfected Operating system Adware:adware/beginto Not disinfected Windows Registry Spyware:spyware/media-motor Not disinfected Windows Registry Adware:adware/ieplugin Not disinfected Windows Registry Adware:adware/wintools Not disinfected Windows Registry Spyware:spyware/betterinet Not disinfected Windows Registry Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@247realmedia[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@ad.yieldmanager[2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@ads.pointroll[1].txt Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@advancedcleaner[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@advertising[2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@apmebf[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@atdmt[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@fastclick[2].txt Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@findwhat[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@mediaplex[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@overture[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@realmedia[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@server.iad.liveperson[2].txt Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@stat.onestat[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@trafficmp[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@tribalfusion[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@www.burstbeacon[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@ad.yieldmanager[1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@adrevolver[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@advertising[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@apmebf[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@atdmt[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@casalemedia[1].txt Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@counter.hitslink[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@doubleclick[2].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@fastclick[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@mediaplex[1].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@statse.webtrendslive[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temp\Cookies\paul scansaroli@tribalfusion[1].txt Potentially unwanted tool:Application/AVSystemCare Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temporary Internet Files\Content.IE5\H01KLD5F\installer_en[1].cab[uGDC_0001_N122M0502NetInstaller.exe] Adware:Adware/ErrClean Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temporary Internet Files\Content.IE5\WJFJ5DH0\setup_en[1].cab[uGES_0001_N122M0502NetInstaller.exe] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Shelly Scansaroli\Cookies\shelly scansaroli@ehg-dig.hitbox[2].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Shelly Scansaroli\Cookies\shelly scansaroli@go[2].txt Possible Virus. Not disinfected C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\Setup.exe Spyware:Cookie/Weborama Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc1032.txt Spyware:Cookie/Winantivirus Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc1042.txt Spyware:Cookie/BurstBeacon Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc1116.txt Spyware:Cookie/RealMedia Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc118.txt Spyware:Cookie/myaffiliateprogram Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc1222.txt Spyware:Cookie/Xiti Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc1335.txt Spyware:Cookie/Yadro Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc1338.txt Spyware:Cookie/Zedo Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc1345.txt Spyware:Cookie/YieldManager Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc154.txt Spyware:Cookie/Adrevolver Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc161.txt Spyware:Cookie/AdDynamix Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc162.txt Spyware:Cookie/PointRoll Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc167.txt Spyware:Cookie/Advertising Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc171.txt Spyware:Cookie/Apmebf Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc196.txt Spyware:Cookie/Atlas DMT Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc208.txt Spyware:Cookie/Bluestreak Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc241.txt Spyware:Cookie/bravenetA Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc249.txt Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc255.txt Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc276.txt Spyware:Cookie/Ccbill Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc287.txt Spyware:Cookie/Cgi-bin Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc294.txt Spyware:Cookie/Cgi-bin Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc295.txt Spyware:Cookie/Com.com Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc320.txt Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc333.txt Spyware:Cookie/Hitslink Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc334.txt Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc387.txt Spyware:Cookie/DriveCleaner Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc392.txt Spyware:Cookie/Hitbox Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc418.txt Spyware:Cookie/FastClick Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc467.txt Spyware:Cookie/Go Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc500.txt Spyware:Cookie/GoStats Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc507.txt Spyware:Cookie/Screensavers Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc546.txt Spyware:Cookie/Mediaplex Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc642.txt Spyware:Cookie/Overture Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc730.txt Spyware:Cookie/Overture Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc744.txt Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc776.txt Spyware:Cookie/Searchportal Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc844.txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc846.txt Spyware:Cookie/Serving-sys Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc848.txt Spyware:Cookie/Sextracker Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc853.txt Spyware:Cookie/SpyLog Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc880.txt Spyware:Cookie/onestat.com Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc884.txt Spyware:Cookie/Statcounter Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc885.txt Spyware:Cookie/Reliablestats Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc889.txt Spyware:Cookie/WebtrendsLive Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc891.txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc965.txt Spyware:Cookie/Tribalfusion Not disinfected C:\RECYCLER\S-1-5-21-1941108434-3882185040-454733581-1008\Dc970.txt Possible Virus. Not disinfected C:\WINDOWS\Downloaded Program Files\UPRP_0001_D21M2103NetInstaller.exe Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\Process.exe Link to post Share on other sites More sharing options...
Scansy Posted February 21, 2008 Author ID:13510 Share Posted February 21, 2008 Here is the hijack this log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 4:28:54 AM, on 2/21/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\System32\WFXSVC.EXEC:\Program Files\WinFax\WFXMOD32.EXEC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\BCMSMMSG.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\Creative\SBLive\Diagnostics\diagent.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeC:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exeC:\PROGRA~1\WinFax\WFXSWTCH.exeC:\WINDOWS\system32\wfxsnt40.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\Program Files\SmartDisk\FlashPath\sdstat.exeC:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exeC:\WINDOWS\system32\mrtMngr.EXEC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywayR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {5B8D7726-E61D-403D-B9C4-FB30463806Eb} - C:\WINDOWS\system32\pplywarx.dllO2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dllO2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startupO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exeO4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exeO4 - HKLM\..\Run: [crqh32.exe] C:\WINDOWS\system32\crqh32.exeO4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exeO4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exeO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"O4 - HKLM\..\RunOnce: [spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheckO4 - HKLM\..\RunOnce: [spybotDeletingA4710] command /c del "C:\WINDOWS\SYSTEM32\gebyy.dll_old"O4 - HKLM\..\RunOnce: [spybotDeletingC3755] cmd /c del "C:\WINDOWS\SYSTEM32\gebyy.dll_old"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exeO4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exeO4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exeO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZZO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cabO16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cabO16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cabO16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocxO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocxO16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocxO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/6512bd/games/files...aploader_v6.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...379/mcfscan.cabO16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocxO18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\SYSTEM32\hsppp.dllO20 - Winlogon Notify: mlljj - mlljj.dll (file missing)O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exeO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: hpdj - Unknown owner - C:\DOCUME~1\PAULSC~1\LOCALS~1\Temp\hpdj.exe (file missing)O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXEO23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXEO23 - Service: Remote Procedure Call (RPC) Helper ( Link to post Share on other sites More sharing options...
JeanInMontana Posted February 21, 2008 ID:13520 Share Posted February 21, 2008 OK, good work so far. You have/had a serious mess of nasty stuff. We still have work to do.Please set your system to show all files; Click Start.Open My Computer.Select the Tools menu and click Folder Options.Select the View Tab.Under the Hidden files and folders heading select Show hidden files and folders.Uncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Click OK.Go to Add/Remove programs and uninstall WinStat. Also Adobe as it is an outdated and unsafe version you have. Current version is 8.Now navigate to Program files and look for any associated folders and delete them. You can reinstall Adobe at your leisure. Please run HJT again and put a check next to these items then click fix.O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {5B8D7726-E61D-403D-B9C4-FB30463806Eb} - C:\WINDOWS\system32\pplywarx.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exeO8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZZO15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)O20 - Winlogon Notify: mlljj - mlljj.dll (file missing)O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\PAULSC~1\LOCALS~1\Temp\hpdj.exe (file missing)O23 - Service: Remote Procedure Call (RPC) Helper ( Link to post Share on other sites More sharing options...
Scansy Posted February 21, 2008 Author ID:13529 Share Posted February 21, 2008 Jean, when I go into add/remove programs - I do not see WinStat? Link to post Share on other sites More sharing options...
JeanInMontana Posted February 26, 2008 ID:13844 Share Posted February 26, 2008 OMG I am so sorry for not getting back to you before now. I don't know how I missed you. O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe <=========== that is the bad line, and the program maybe AdStatus? Or Windows AdSatus, find that and uninstall delete any files associated and post a new HJT. Again I am so sorry. Give me some feed back too. It's been a few days since this how are things now? Link to post Share on other sites More sharing options...
Scansy Posted March 10, 2008 Author ID:14606 Share Posted March 10, 2008 Jean,I was surprised to find "A Plea for Help" locked, so I am starting another thread - basically picking up where it left off.I removed the old Adobe - but still cannot find the winstat/adstatus/winadstatus????I ran another HJT and removed the items you listed and then rebooted.Then, I tried the two links you provided, but couldn't get either of them to work. Any suggestions?Scansy Link to post Share on other sites More sharing options...
JeanInMontana Posted March 10, 2008 ID:14613 Share Posted March 10, 2008 Hi Scansy. We close dormant topics in this forum after 5 days of no reply usually. It is to keep others from posting into it. Your last reply was the 21st of Feb. I will need you to start all over please with a new full C:/ scan from MBAM after you update and one from Panda please. Also a new HJT log after both other scans have been done and all found malware removed. Link to post Share on other sites More sharing options...
Scansy Posted March 13, 2008 Author ID:14729 Share Posted March 13, 2008 Jean,Sorry about the delay in replies - been busy with business. I will try to follow up more quickly. I will start at the beginning and post again.Scansy Link to post Share on other sites More sharing options...
JeanInMontana Posted March 13, 2008 ID:14734 Share Posted March 13, 2008 OK Scansy. It is to your advantage to proceed with the most speed possible, this stuff has a tendency to update as fast as the tools we use to remove if not faster. I know that isn't always possible. Link to post Share on other sites More sharing options...
Scansy Posted March 13, 2008 Author ID:14755 Share Posted March 13, 2008 Thanks for all your help. I ran the three initial scans all today, one after the other.Here Link to post Share on other sites More sharing options...
JeanInMontana Posted March 14, 2008 ID:14814 Share Posted March 14, 2008 Well we are making progress. But still have work to do. Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Link to post Share on other sites More sharing options...
Scansy Posted March 17, 2008 Author ID:14917 Share Posted March 17, 2008 Thanks Jean.I did all of that and here is the rapport.txt file.SmitFraudFix v2.305Scan done at 7:29:32.14, Mon 03/17/2008Run from C:\Documents and Settings\Paul Scansaroli\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode Link to post Share on other sites More sharing options...
JeanInMontana Posted March 17, 2008 ID:14935 Share Posted March 17, 2008 I need a new HJT log please and feed back on how your running. Link to post Share on other sites More sharing options...
Scansy Posted March 18, 2008 Author ID:14964 Share Posted March 18, 2008 The HJT log is below.The system is running better than it had been. I had been getting pop-ups even though I had both Google and IE blockers on. I still occasionally get redirected to other web sites when I click on links in web sites I'm browsing - if I search for something and then follow a link it will send me a web page to buy that thing I had been searching for - even if it wasn't something to buy - say I searched for a persons name. It would come up "Buy Joe Smith". But I can functionally use the web now - which is important to me as a self-employed mechanical engineer - I need to access product information on the web frequently.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:37:00 AM, on 3/18/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\System32\WFXSVC.EXEC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\WinFax\WFXMOD32.EXEC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\BCMSMMSG.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\Creative\SBLive\Diagnostics\diagent.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeC:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exec:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exeC:\PROGRA~1\WinFax\WFXSWTCH.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\system32\wfxsnt40.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\SmartDisk\FlashPath\sdstat.exeC:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\mrtMngr.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywayR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dllO2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startupO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exeO4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exeO4 - HKLM\..\Run: [crqh32.exe] C:\WINDOWS\system32\crqh32.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exeO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exeO4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exeO4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exeO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cabO16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cabO16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cabO16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabO16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocxO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocxO16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocxO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/6512bd/games/files...aploader_v6.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...379/mcfscan.cabO16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocxO18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\SYSTEM32\hsppp.dllO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXEO23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXEO23 - Service: Remote Procedure Call (RPC) Helper ( Link to post Share on other sites More sharing options...
JeanInMontana Posted March 19, 2008 ID:15054 Share Posted March 19, 2008 I still occasionally get redirected to other web sites when I click on links in web sites I'm browsing - if I search for something and then follow a link it will send me a web page to buy that thing I had been searching for - even if it wasn't something to buy - say I searched for a persons name. It would come up "Buy Joe Smith".Are they ad links in the first place? Like the Google adsense links in searches?Your Java is also outdated and should be updated go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.Another thing that will affect your performance is the amount of items you have at startup. Many are not needed to start with bootup. You probably also need basic maintenance, scandisk for errors and then defragging.Last but not least. Symantec should have found the dialer we are removing now. It's not new, and certainly not a desirable programRun HJT again in scan only and put a check next to thisO4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exeReboot to safe mode by tapping the F8 key constantly as soon as you reboot.Using Windows Explorer, locate the following files/folders, and delete them:C:\WINDOWS\System32\tibs5.exec:\windows\downloaded program files\UGA6P_0001_N120M1710NetInstaller.exe Exit Explorer, and reboot as normal afterwards.If you were unable to find any of the files then please follow these additional instructions:Download Pocket Killbox and unzip it; save it to your Desktop.Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.Let the system reboot.Now please follow these instructions:Please download this file: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow">SDFix.exe * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). * Finally paste the contents of the Report.txt back on the forum.Reboot your system in Normal Mode. Then post the SDFix log and a new HJT log please.Update MBAM again and scan just C this will save you some time no point scanning D. Also please run another Panda scan and post both of these logs.Post back a fresh HijackThis log after all items are removed from the other scans please, and we will take another look.. Link to post Share on other sites More sharing options...
Scansy Posted March 20, 2008 Author ID:15098 Share Posted March 20, 2008 Jean,I will be traveling for the Easter weekend and will do this stuff when I return. I wanted to put a post on here before leaving so it will keep the thread active.Scansy Link to post Share on other sites More sharing options...
JeanInMontana Posted March 20, 2008 ID:15102 Share Posted March 20, 2008 Running SDFix takes about five minutes if that. Those lines I asked you to remove are able to dial a connection to the internet, if you use a dial up connection. It's your choice but when you don't stay with this and let things sit they tend to get harder to remove. Link to post Share on other sites More sharing options...
Scansy Posted March 24, 2008 Author ID:15216 Share Posted March 24, 2008 Jean,I did all of this - I had to use the Pocket Killbox to get rid of those files. The logs are below:Here is the log from SDFixSDFix: Version 1.160 Run by Administrator on Mon 03/24/2008 at 08:12 AMMicrosoft Windows XP [Version 5.1.2600]Running From: C:\SDFixChecking Services :Restoring Windows Registry ValuesRestoring Windows Default Hosts FileRebootingChecking Files : Trojan Files Found:C:\WINDOWS\SYSTEM32\MSGF.EXE - DeletedC:\WINDOWS\SYSTEM32\JAVANP32.DLL - DeletedC:\FE5.TMP - DeletedC:\FE8.TMP - DeletedC:\WINDOWS\Downloaded Program Files\UPRP_0001_D21M2103NetInstaller.exe - DeletedRemoving Temp FilesADS Check : Final Check :catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-03-24 08:24:53Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services & system hive ...scanning hidden registry entries ...[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]"TracesProcessed"=dword:00000088"TracesSuccessful"=dword:00000003scanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 1Remaining Services :Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\CDS\\TRACE700\\rteng7.exe"="C:\\CDS\\TRACE700\\rteng7.exe:*:Disabled:Adaptive Server Anywhere Database Engine""C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 6.2""C:\\WINDOWS\\SYSTEM32\\mshta.exe"="C:\\WINDOWS\\SYSTEM32\\mshta.exe:*:Enabled:Microsoft ® HTML Application host""C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client""C:\\WINDOWS\\system32\\svchost.exe"="C:\\WINDOWS\\system32\\svchost.exe:*:Enabled:svchost""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 6.2""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"Remaining Files :File Backups: - C:\SDFix\backups\backups.zipFiles with Hidden Attributes :Sat 9 Aug 2003 49,237 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"Sat 9 Aug 2003 36,953 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"Sat 9 Aug 2003 40,960 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"Sat 9 Aug 2003 233,553 A..H. --- "C:\Program Files\America Online 9.0\waol.exe"Tue 29 May 2007 3,610,192 ...H. --- "C:\Program Files\Boggle\BoggleSA.exe"Thu 24 Jan 2008 3,274,056 ...H. --- "C:\Program Files\Caribbean Hideaway\CaribbeanHideaway.exe"Thu 10 Jan 2008 3,106,120 ...H. --- "C:\Program Files\Risk\RiskSA.exe"Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"Fri 10 Feb 2006 304,026 A.SH. --- "C:\RECYCLER\NPROTECT\01049730.BAK"Mon 30 Jan 2006 360,951 ..SH. --- "C:\WINDOWS\SYSTEM32\yybeg.tmp"Wed 8 Feb 2006 309,698 ..SH. --- "C:\WINDOWS\SYSTEM32\yybeg.bak1"Wed 20 Feb 2008 224,699 ..SH. --- "C:\WINDOWS\SYSTEM32\yybeg.bak2"Sat 19 Aug 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"Wed 8 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"Wed 8 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"Sun 4 Jan 2004 1,206 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"Sun 4 Jan 2004 12,368 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"Wed 23 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BITB0.tmp"Thu 16 Nov 2006 30,720 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Application Data\Microsoft\Word\~WRL0002.tmp"Fri 21 Jul 2006 0 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Application Data\Microsoft\Word\~WRL0948.tmp"Fri 11 May 2007 0 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Application Data\Microsoft\Word\~WRL2585.tmp"Sat 9 Aug 2003 111,824 A..H. --- "C:\Program Files\Common Files\aolshare\shell\us\shellext.dll"Sat 12 Mar 2005 8,140,800 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\Water System CTP Stuff\~WRL0138.tmp"Fri 25 Feb 2005 3,059,712 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\Water System CTP Stuff\~WRL1886.tmp"Thu 24 Feb 2005 1,874,432 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\Water System CTP Stuff\~WRL3702.tmp"Thu 24 Feb 2005 2,796,544 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\Water System CTP Stuff\~WRL3790.tmp"Wed 29 Jun 2005 460,288 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL0159.tmp"Wed 29 Jun 2005 457,728 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL0937.tmp"Wed 29 Jun 2005 462,336 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL0976.tmp"Wed 29 Jun 2005 460,288 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL1219.tmp"Wed 29 Jun 2005 459,264 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL1674.tmp"Wed 29 Jun 2005 460,288 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL1970.tmp"Wed 29 Jun 2005 460,800 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL2473.tmp"Wed 29 Jun 2005 455,168 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL3075.tmp"Wed 29 Jun 2005 459,264 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL3082.tmp"Wed 29 Jun 2005 459,264 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL3145.tmp"Wed 29 Jun 2005 461,312 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL3301.tmp"Wed 29 Jun 2005 413,184 ...H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Work\Centocor\NRP Commissioning stuff\Chiller commissioning plan\~WRL3750.tmp"Fri 24 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"Fri 24 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"Fri 24 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"Fri 24 Jun 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"Fri 17 Nov 2006 67,584 A..H. --- "C:\Documents and Settings\Paul Scansaroli\Paul Scansaroli's Documents\Side Work\Ron Franke Projects\Eagle Autobody\Radiant Heat Issues\Letter to Dave at Eagle Autobody 111706\~WRL0014.tmp"Finished!Here is the MBAM logMalwarebytes' Anti-Malware 1.09Database version: 528Scan type: Full Scan (C:\|)Objects scanned: 192691Time elapsed: 2 hour(s), 20 minute(s), 45 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Here is the pandascan logIncident Status Location Adware:adware/wupd Not disinfected Windows Registry Adware:adware/beginto Not disinfected Windows Registry Spyware:spyware/media-motor Not disinfected Windows Registry Adware:adware/ieplugin Not disinfected Windows Registry Adware:adware/wintools Not disinfected Windows Registry Spyware:spyware/betterinet Not disinfected Windows Registry Adware:adware/exact.bargainbuddy Not disinfected Windows Registry Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@247realmedia[1].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@ad.yieldmanager[2].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@adrevolver[1].txt Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@adrevolver[2].txt Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@ads.addynamix[2].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@ads.pointroll[1].txt Spyware:Cookie/AdvancedCleaner Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@advancedcleaner[2].txt Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@anm.co[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@apmebf[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@atdmt[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@bs.serving-sys[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@burstnet[1].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@casalemedia[1].txt Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@counter.hitslink[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@doubleclick[1].txt Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@fastclick[2].txt Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@fe.lea.lycos[1].txt Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@findwhat[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@go[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@mediaplex[2].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@overture[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@perf.overture[1].txt Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@questionmarket[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@realmedia[2].txt Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@revenue[2].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@searchportal.information[2].txt Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@server.iad.liveperson[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@serving-sys[1].txt Spyware:Cookie/Smartadserver Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@smartadserver[2].txt Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@stat.onestat[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@statcounter[1].txt Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@target[1].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@trafficmp[2].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@tribalfusion[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@www.burstbeacon[1].txt Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul scansaroli@zedo[2].txt Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul_scansaroli@advertising[2].txt Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Paul Scansaroli\Cookies\paul_scansaroli@statse.webtrendslive[2].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paul Scansaroli\Desktop\SDFix.exe[sDFix\apps\Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paul Scansaroli\Desktop\SmitfraudFix\Process.exe Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Paul Scansaroli\Desktop\SmitfraudFix\Reboot.exe Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Paul Scansaroli\Desktop\SmitfraudFix\restart.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paul Scansaroli\Local Settings\Temporary Internet Files\Content.IE5\WJFJ5DH0\SDFix[1].exe[sDFix\apps\Process.exe] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Shelly Scansaroli\Cookies\shelly scansaroli@ehg-dig.hitbox[2].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Shelly Scansaroli\Cookies\shelly scansaroli@go[2].txt Possible Virus. Not disinfected C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\Setup.exe Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe Possible Virus. Not disinfected C:\SDFix\backups\backups.zip[backups/UPRP_0001_D21M2103NetInstaller.exe] Finally, here is the HJT Log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 6:25:09 PM, on 3/24/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS\System32\WFXSVC.EXEC:\WINDOWS\System32\MsPMSPSv.exeC:\Program Files\WinFax\WFXMOD32.EXEC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\BCMSMMSG.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeC:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeC:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exeC:\Program Files\Creative\SBLive\Diagnostics\diagent.exeC:\PROGRA~1\WinFax\WFXSWTCH.exeC:\WINDOWS\system32\wfxsnt40.exec:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exeC:\Program Files\HP\hpcoretech\hpcmpmgr.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exeC:\Program Files\SmartDisk\FlashPath\sdstat.exeC:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\WINDOWS\system32\mrtMngr.EXEC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXEC:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXEC:\Program Files\AutoCAD 2006\acad.exeC:\DOCUME~1\PAULSC~1\LOCALS~1\Temp\AdskCleanup.0001C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeC:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywayR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dllO2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dllO4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exeO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exeO4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startupO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exeO4 - HKLM\..\Run: [share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exeO4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\WinFax\WFXSWTCH.exeO4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exeO4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exeO4 - HKLM\..\Run: [crqh32.exe] C:\WINDOWS\system32\crqh32.exeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exeO4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exeO4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exeO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cabO16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cabO16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cabO16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cabO16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocxO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocxO16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocxO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/6512bd/games/files...aploader_v6.cabO16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h20264.www2.hp.com/ediags/hpfix/sj/.../qdiagh.cab?326O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...379/mcfscan.cabO16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocxO18 - Protocol: x-cnote - {8D32BA61-D15B-11D4-894B-000000000000} - C:\WINDOWS\SYSTEM32\hsppp.dllO23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeO23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exeO23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exeO23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXEO23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exeO23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exeO23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXEO23 - Service: Remote Procedure Call (RPC) Helper ( Link to post Share on other sites More sharing options...
JeanInMontana Posted March 26, 2008 ID:15283 Share Posted March 26, 2008 Hi again. You didn't run SDFix from the desktop. I didn't have that in the instructions, I am at fault there. Please delete the folders on C:/ for SDFix and download a fresh copy in case there have been updates. Make sure you save it to your desk top and run it from there.Post the log.You are running an outdated and unsafe version of Java. You need to uninstall it via Add/Remove programs and delete the program file also. Then go here http://java.sun.com/javase/downloads/index.jsp and install the correct version for your system. Choose the offline installation.Run HJT in scan only mode and put a check next to the following:O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://i.grab.com/media/6512bd/games/files...aploader_v6.cabO23 - Service: Remote Procedure Call (RPC) Helper ( Link to post Share on other sites More sharing options...
Scansy Posted March 28, 2008 Author ID:15340 Share Posted March 28, 2008 Jean,I deleted the SDFix from C:/ and re-downloaded. I saved it to the desktop and I get an icon titled "sdfix.exe" When I double click on that, nothing happens. The only way for me to run it is to go to the c:/sdfix folder and run the batch file. Is this right?I will take care of Java and check back later.The computer is running better than when I first came to the site. Pop-ups are not happening. I had been getting weird advertising - not google or something I could identify. It was strange - if I searched for "dogs" in ask.com, and clicked on a link, instead of going to the page I linked to, it would go to a page with a buch of listings to buy dogs. This happend for anything I searched for. I would have to hit "back" and then re-click to go to the web page I wanted. Most of the time, the second time would take me where I wanted to go, but sometimes I would go back and forth three or four times until I got where I wanted to be. This was not in pop-up windows either - it was all in the base window. None of that is happening anymore.Also, I did get the usual pop-ups - for free smileys, wallpapers, etc. Also products like viagara and such. Again, none of that seems to be happening anymore.I am happy with my computer's performance right now, but want to get it as clean as possible. It's a couple of years old so probably has a lot of stuff on it. I would love to buy a new one, but just started my own business a year ago and it's not in the cards for a new one right now. Link to post Share on other sites More sharing options...
JeanInMontana Posted March 28, 2008 ID:15351 Share Posted March 28, 2008 Please download this file: SDFix.exehttp://downloads.andymanchesta.com/RemovalTools/SDFix.exe' rel="external nofollow"> and save it to your desktop. Double click SDFix.exe and choose Install to extract it to itsown folder on the Desktop. Please then reboot your computer in SafeMode by doing the following : * Restart your computer * After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; * Instead of Windows loading as normal, the Advanced Options Menu should appear; * Select the first option, to run Windows in Safe Mode, then press Enter. * Choose your usual account. * Open the extracted SDFix folder and double click RunThis.bat to start the script. * Type Y to begin the cleanup process. * It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot. * Press any Key and it will restart the PC. * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt. * Finally copy and paste the contents of the results file Report.txt with a new HijackThis logReboot your system in Normal Mode. Then post the SDFix log and a new HJT log please.As per instructions, you should not have a folder on C. When you extract, it should be extracted to the desktop. You can move it from C to the desktop.Remove this line using HJT in scan only mode.O23 - Service: Remote Procedure Call (RPC) Helper ( Link to post Share on other sites More sharing options...
Recommended Posts