"worm.win32.netbooster2" LOG FILES. Help Please.

[hendu3270]

Ok, I'm running the scans and will post up the first log file right after lunch. This whole ordeal has really got me in an un-trusting mind set. I hope this is on the level.

Chris

[JeanInMontana]

Hi Chris and welcome to Malwarebytes. By on the level are you referring to the help you will get here? Why are you running the scans? The more information you give the better someone can help you.

[hendu3270]

Hi Chris and welcome to Malwarebytes. By on the level are you referring to the help you will get here? Why are you running the scans? The more information you give the better someone can help you.

By "on the level" I just meant I hope this is for real and this will get the problem fixed, (wasn't meaning to offend). Oh and I'm running the scans because I'm trying to follow the directions in the thread you provided. I've got the Spybot done, and actually the "pop ups" have already stopped. Those were happening about every two or three minutes.

[JeanInMontana]

We do the best we can, it depends on what the scans show. Some things can only be cured with a reformat. Reformat is always the last resort.

[hendu3270]

We do the best we can, it depends on what the scans show. Some things can only be cured with a reformat. Reformat is always the last resort.

I don't even want to think about a reformat, ugh! I'm about to start the mbam scan now.

Oh, and the reason for all this (I posted in another thread and was told to follow the directions you outlined) is I have "worm.win32.netbooster2" on my machine and it's relentless.

[JeanInMontana]

I hear ya and saw your other topics. What is telling you this worm is present? Please just use the Add Reply button not the one with " Reply [ look down a bit]. It saves scroll time and these threads tend to get long.

[hendu3270]

The reason I was thinking this worm was present was in ALL the error mesages I've been receiving over the weekend, (that were here to greet me this morning) most seemed bogus. Or atleast I didn't recognize the icon at the upper right hand corner of the message. One however, did say you're computer is infected with the "Worm.Win32.NetBooster32" worm and need to remove the file. I ran a search on the net and stumbled across "WIKI-SECURITY" which explained a little aboput this bug and some of its characteristics. I was behving exactly as that site said it does. Opening up several error messages making you feel like your computer is infected and if you click "ok", "close" or "cancel" it opens up a IE window to some "Anit-Spyware" site. It also would not let me change my home page back to what it was before. It disabled my task manager, which I have since been able to get back. One of the programs that it installed was a "virusIsolator", which the Spybot seems to have blown out. Before I rab Spybot I was gettin gan error message maybe every two minutes, Now after coming back from lunch, (after an hour), I had only two.

The Malwarebytes scan is still running at this time and as of right now has identified 23 infected objects.

[hendu3270]

Still scanning.

This is a pic of the message that just popped up and the one that I got the "worm" name from.

[JeanInMontana]

Looks like a rogue has got you. If you close the browser and other programs you don't need, the scan will go faster and that is the best way to do the HJT scan also when you get there.

[hendu3270]

Here's the scan. I'm gonna reboot. It said some files would be removed after that. I'll follow the instructions for the other scans and posts those next.

Malwarebytes' Anti-Malware 1.11

Database version: 720

Scan type: Full Scan (C:\|)

Objects scanned: 203994

Time elapsed: 1 hour(s), 42 minute(s), 51 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 2

Registry Keys Infected: 28

Registry Values Infected: 5

Registry Data Items Infected: 0

Folders Infected: 5

Files Infected: 86

Memory Processes Infected:

C:\WINDOWS\system32\yfabatsf.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\qadovnel.dll (Trojan.FakeAlert) -> Unloaded module successfully.

C:\WINDOWS\gndarmblldk.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_CLASSES_ROOT\Interface\{20a9b4dd-04dc-428a-bcf0-b7a7ed06aff4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{d3cd8ba8-c639-4d07-afa6-c4c405c30eaf} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{61b89577-bb0c-4f5c-ad2f-b08764ad3d0d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{45d353a9-fa31-4a2f-90c4-11a338a4d9d4} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{c8dfbeb7-935f-4dc6-a9f9-dbdd0d32e54c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logons (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\typelib (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\VirusIsolator (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SYSTEM\currentcontrolset\Services\rdriv (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{92de8cb8-a9ac-4e18-8516-eeafdfd3002b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{dae5a907-666c-4206-8b37-7bf7e8208763} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f2fb4bb4-4c80-4aee-8b59-f146b08f6193} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f2fb4bb4-4c80-4aee-8b59-f146b08f6193} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\wxdbpfvo.bqew (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\wxdbpfvo.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fhfbppod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VirusIsolator.exe (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qadovnel (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\bdkpfxqw (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator\Infected (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator\Suspicious (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\yfabatsf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator\VirusIsolator.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\wxolqviv\ilmhgvgl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\GMW\Local Settings\Tempmjiwep0.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\GMW\Local Settings\Temp\EXPLOR~1.EXE.bak (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049412.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049413.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049414.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049415.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049416.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049417.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049418.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049419.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049420.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049421.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049422.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049423.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049424.DLL (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049425.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049426.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049427.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049428.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049429.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049430.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049431.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049432.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049433.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049434.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049435.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049436.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049437.EXE (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049439.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049441.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049442.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049443.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049463.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049464.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP417\A0049465.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator\vscan.tsi (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\Program Files\VirusIsolator\zlib.dll (Rogue.VirusIsolator) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\akttzn.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\anticipator.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\awtoolb.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bsva-egihsg52.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\dpcproxy.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hoproxy.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hxiwlgpm.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\hxiwlgpm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msgp.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msnbho.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\msvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mtr2.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mwin32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\netode.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\newsd32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ps1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\psof1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\psoft1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\regc64.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\regm64.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\Rundl1.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sncntr.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ssurf022.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ssvchost.com (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ssvchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sysreq.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\taack.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\taack.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\temp#01.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\thun.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\thun32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\VBIEWER.OCX (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vbsys2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vcatchpi.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winlogonpc.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\winsystem.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\WINWGPX.EXE (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\xbaqktfv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\spwoqbmv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\qadovnel.dll (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\gndarmblldk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\GMW\g2mdlhlpx.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\GMW\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

[hendu3270]

I guess one thing I don't understand is the "virusIsolator" stuff was listed as part of the Malwarebyte scan removed. But I just had a "virusIsolator" box pop up. I was thinking it had all been removed. Obviously I don't understand all the ins and outs of all this. Running the "Panda" scan now.

[hendu3270]

Pandascan.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-05-05 15:49:19

PROTECTIONS: 1

MALWARE: 19

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

McAfee VirusScan Yes Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00117692 Joke/Finger Jokes No 0 Yes No C:\Documents and Settings\GMW\My Documents\Computer pranks\finger.zip[finger.exe]

00117692 Joke/Finger Jokes No 0 Yes No C:\Documents and Settings\GMW\My Documents\Computer pranks\finger.exe

00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@anm.co[1].txt

00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@ccbill[1].txt

00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@com[2].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@toplist[2].txt

00167749 Cookie/Toplist TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@toplist[1].txt

00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@perf.overture[1].txt

00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@perf.overture[2].txt

00168055 Cookie/RealTracker TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@web2.realtracker[1].txt

00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@ad.yieldmanager[2].txt

00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@server.iad.liveperson[2].txt

00168111 Cookie/Servlet TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@servlet[1].txt

00170550 Cookie/Humanclick TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@hc2.humanclick[2].txt

00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@overture[2].txt

00171633 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@cgi-bin[2].txt

00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@go[1].txt

00216065 Cookie/Screensavers TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@i.screensavers[2].txt

00520936 Application/ViewPoint HackTools No 0 No No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP399\A0047249.exe[ViewBarBHO.dll]

02883509 Application/ViewPoint HackTools No 0 Yes No C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP399\A0047249.exe

02887531 Cookie/UltimateCleaner TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@ucleaner[2].txt

02887532 Cookie/XPAntivirusPro TrackingCookie No 0 Yes No C:\Documents and Settings\GMW\Cookies\gmw@www.safenavweb[1].txt

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location v

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description v

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

[hendu3270]

HiJack This scan.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:57:51 PM, on 05/05/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Program Files\SiteAdvisor\6253\SAService.exe

C:\WINDOWS\system32\cryptainersrv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\HPZinw12.exe

C:\Program Files\AutoCAD Civil 3D 2008\acad.exe

C:\DOCUME~1\GMW\LOCALS~1\Temp\AdskCleanup.0001

C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net/

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061226

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O3 - Toolbar: wxdbpfvo - {3E1A7455-8F94-40B1-A2A8-4FE1A5264F8B} - C:\WINDOWS\wxdbpfvo.dll (file missing)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe

O4 - HKLM\..\Run: [spyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\GMW\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\GMW\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168871892578

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe

O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe

O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--

End of file - 13251 bytes

[JeanInMontana]

The VirusIsolater stuff has been removed in part. I'm guessing you got a new version of the Vundo trojan. I have reported that it was not all removed and it can get added to the next update. This stuff mutates all the time into another form. We will try this tool to rid you of it.

Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix.

Download:

Use this URL to download the latest version (the file contains both English and French versions):

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

* Double-click SmitfraudFix.exe

* Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Clean:

* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)

* Double-click SmitfraudFix.exe

* Select 2 and hit Enter to delete infect files.

* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

* Optional:

o To restore Trusted and Restricted site zone, select 3 and hit Enter.

o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note:

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Post back the SmitFraud log and a new HJT log and we will see how it's going.

[hendu3270]

We'll do. Thanks Jean!

Chris

[hendu3270]

Do I need to post up the log after the "search" with the Smitfraudfix prgram or just after I do the fix? I want to make sure I do everything you need.

[hendu3270]

Ok. I've done the scan and clean process for the smitfraud. I'm gonna do the Hijack thing again now. The scan log for the smitfraud cleaning process is nothing but website addresses. Most of which I don't recall ever visiting and it's super, super long. I mean, if you use the little scroll arrow on the bottom right hand corner it would take a solid 15 minutes before you were at the bottom. Do I need to paste this thing into a post?? And just so I know, what exactly is this list? Please advise. Thanks.

[hendu3270]

Here's the HJT log. Please advise on the extremely large smitfraud log. Oh and BTW, my computer is running great now. Yesterday with all the various scans and fixes you walked me through it was running pretty good, but when I opened IE it wouldn't go to my home page and would lock up if I tried to change it. Now IE is back to normal to.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:13:10 AM, on 05/06/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe

C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\Program Files\SiteAdvisor\6253\SAService.exe

C:\WINDOWS\system32\cryptainersrv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\HPZinw12.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=4061226

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll

O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O3 - Toolbar: wxdbpfvo - {3E1A7455-8F94-40B1-A2A8-4FE1A5264F8B} - C:\WINDOWS\wxdbpfvo.dll (file missing)

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay

O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [siteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\wianmpa.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Search - ?p=ZRxdm429YYUS

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\GMW\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\GMW\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\DownloadPDF.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net/

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1168871892578

O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/assets/activex/v...acheManager.CAB

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe

O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Intel

[JeanInMontana]

Ok. I've done the scan and clean process for the smitfraud. I'm gonna do the Hijack thing again now. The scan log for the smitfraud cleaning process is nothing but website addresses. Most of which I don't recall ever visiting and it's super, super long. I mean, if you use the little scroll arrow on the bottom right hand corner it would take a solid 15 minutes before you were at the bottom. Do I need to paste this thing into a post?? And just so I know, what exactly is this list? Please advise. Thanks.

The list is your hosts file, I need to see everything but that. If you feel you can edit it out but leave everything else in the file go ahead and do that. If not then please post it using as many posts as it takes, and I will edit it once it's posted.

We can remove these items with HJT

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O3 - Toolbar: wxdbpfvo - {3E1A7455-8F94-40B1-A2A8-4FE1A5264F8B} - C:\WINDOWS\wxdbpfvo.dll (file missing)

Put a check next to them and click fix. I can't seem to find anything definitive about Absolute Poker how long have you had it? Please submit the .exe file to here and scan it at virustotal.com and post the report please.

[hendu3270]

here's the smitfraud with all the web addresses removed.

SmitFraudFix v2.319

Scan done at 8:57:04.84, 05/06/2008

Run from C:\Documents and Settings\GMW\Desktop\SpyBot\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

[hendu3270]

Oh, and the Absolute Poker is where I occasionally play online poker. I've had it on my machine for a couple of years maybe. Never had a problem with it.

[hendu3270]

File mainclient.exe received on 05.06.2008 20:27:08 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result:

Loading server information...

Your file is queued in position: 27.

Estimated start time is between 111 and 158 seconds.

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.5.3.0 2008.05.06 -

AntiVir 7.8.0.11 2008.05.06 -

Authentium 4.93.8 2008.05.06 -

Avast 4.8.1169.0 2008.05.05 -

AVG 7.5.0.516 2008.05.06 -

BitDefender 7.2 2008.05.06 -

CAT-QuickHeal 9.50 2008.05.06 -

ClamAV 0.92.1 2008.05.06 -

DrWeb 4.44.0.09170 2008.05.06 -

eSafe 7.0.15.0 2008.05.06 -

eTrust-Vet 31.3.5763 2008.05.06 -

Ewido 4.0 2008.05.06 -

F-Prot 4.4.2.54 2008.05.05 -

Fortinet 3.14.0.0 2008.05.06 -

Additional information

File size: 1347647 bytes

MD5...: caae5d674c83beba39a1061c1e2d52c0

SHA1..: 8ba5f9d39db8f04f7566c3871760d60b1991465e

SHA256: eb3ac735744d71d0846676bab93fb37b6c38772eb6fcd63047f71a4f31415047

SHA512: 96eb41ba854d04e1f6645537da8603b931094ca7866aa432fb629833f57ce474

466780b909d5873184f2a491e03bcde34d31b4842e114341e7bbd848563347db

PEiD..: Armadillo v1.71

PEInfo: PE Structure information

( base data )

entrypointaddress.: 0x4aa6fb

timedatestamp.....: 0x47f47fc8 (Thu Apr 03 06:57:12 2008)

machinetype.......: 0x14c (I386)

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0xd9afe 0xda000 6.64 e5b4e87c182238d6a9ecc9980ce75060

.rdata 0xdb000 0x12760 0x13000 4.99 51fb4a3ba4cb47ae63db4a5ae8d80e38

.data 0xee000 0xa64531 0x3f000 3.23 a1e8690cd8633d65fbc41ce1b9570c10

.rsrc 0xb53000 0x1b5c0 0x1c000 4.85 3a34f9e94934c9ba9e4f02e5ae293db8

( 14 imports )

> KERNEL32.dll: OutputDebugStringA, GetLastError, FreeConsole, GetCurrentProcessId, FindResourceA, LoadResource, SizeofResource, LockResource, ExitProcess, CreateMutexA, GetShortPathNameA, GetEnvironmentVariableA, SetPriorityClass, GetCurrentProcess, GetCurrentThread, CreateProcessA, GetExitCodeProcess, MoveFileA, CopyFileA, GetSystemDirectoryA, FindFirstFileA, FindNextFileA, FindClose, GetFileAttributesA, CreateDirectoryA, SetFilePointer, GlobalLock, GlobalFree, GlobalUnlock, GlobalAlloc, GetVersionExA, DeviceIoControl, MulDiv, GetPrivateProfileIntA, lstrlenW, InterlockedExchange, GetLocaleInfoW, CompareStringW, CompareStringA, SetConsoleCtrlHandler, GetUserDefaultLCID, EnumSystemLocalesA, GetLocaleInfoA, IsValidCodePage, IsValidLocale, IsBadCodePtr, IsBadReadPtr, SetStdHandle, GetStringTypeW, GetStringTypeA, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, LCMapStringW, LCMapStringA, WriteConsoleA, FatalAppExitA, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetFileType, GetStdHandle, SetHandleCount, TerminateProcess, HeapReAlloc, HeapSize, GetACP, ExitThread, GetCommandLineA, GetStartupInfoA, SetCurrentDirectoryA, SetEnvironmentVariableA, RaiseException, GetSystemTimeAsFileTime, RtlUnwind, HeapAlloc, GetPrivateProfileStringA, WritePrivateProfileStringA, LoadLibraryA, GetProcAddress, FreeLibrary, SetUnhandledExceptionFilter, GetCurrentDirectoryA, GetModuleHandleA, GetModuleFileNameA, GetWindowsDirectoryA, DeleteFileA, GetThreadPriority, SetThreadPriority, TerminateThread, ResumeThread, SuspendThread, GetExitCodeThread, CreateThread, MultiByteToWideChar, CreateFileMappingA, MapViewOfFile, UnmapViewOfFile, WideCharToMultiByte, lstrcpynA, GetSystemInfo, ReleaseSemaphore, CreateSemaphoreA, GetTickCount, DisconnectNamedPipe, FlushFileBuffers, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeA, InterlockedCompareExchange, GetQueuedCompletionStatus, PostQueuedCompletionStatus, CreateIoCompletionPort, SetEvent, ResetEvent, WaitForSingleObject, CreateEventA, SetConsoleTitleA, lstrcatA, EnterCriticalSection, WriteFile, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, lstrlenA, GetCurrentThreadId, HeapFree, GetLocalTime, GetSystemTime, GetTimeZoneInformation, GetOEMCP, GetCPInfo, GlobalFlags, GetProcessVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, FileTimeToLocalFileTime, FileTimeToSystemTime, GetVersion, SetErrorMode, SetFileAttributesA, SetFileTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, GlobalReAlloc, TlsFree, InterlockedIncrement, CloseHandle, InterlockedDecrement, Sleep, lstrcmpA, lstrcpyA, GetFileSize, CreateFileA, ReadFile, AllocConsole, GlobalHandle, TlsAlloc, LocalFree, LocalAlloc, lstrcmpiA, GetThreadLocale, GetStringTypeExA, GetFullPathNameA, GetVolumeInformationA, SetEndOfFile, UnlockFile, LockFile, DuplicateHandle, SetLastError

> USER32.dll: ShowWindow, GetSystemMetrics, LoadIconA, DrawIcon, LoadBitmapA, KillTimer, EnableWindow, MoveWindow, SetClassLongA, GetWindowTextA, SetWindowTextA, GetClientRect, LoadCursorA, SetWindowRgn, UpdateWindow, SetTimer, PostMessageA, SendMessageA, FillRect, LoadStringA, DefWindowProcA, RegisterClassA, CreateWindowExA, LoadAcceleratorsA, TranslateAcceleratorA, DispatchMessageA, TranslateMessage, GetMessageA, InvalidateRect, GetWindowRect, DestroyCursor, DestroyIcon, IsWindow, DestroyWindow, wsprintfA, MessageBoxA, GetWindowLongA, LoadImageA, GetDC, ReleaseDC, SetWindowPos, CopyRect, GetMenuBarInfo, RegisterClassExA, EnumDisplayMonitors, GetMonitorInfoA, GetActiveWindow, GetDesktopWindow, IsIconic, GetForegroundWindow, MessageBeep, SendMessageTimeoutA, WaitForInputIdle, SetForegroundWindow, GetWindow, GetWindowThreadProcessId, GetClassNameA, ChildWindowFromPoint, SendDlgItemMessageA, CheckRadioButton, CheckDlgButton, IsDlgButtonChecked, SetDlgItemTextA, GetDlgItemTextA, SetCursor, EndDialog, CloseWindow, FindWindowA, GetMenuState, EnumWindows, CheckMenuItem, EnableMenuItem, CopyImage, GetMenu, DestroyMenu, LoadMenuA, SetMenu, GetCursorPos, GetFocus, GetSysColor, SetScrollInfo, SetFocus, ReleaseCapture, SetCapture, PtInRect, GetScrollPos, CharToOemA, OemToCharA, CharUpperA, UnhookWindowsHookEx, IsWindowEnabled, GetLastActivePopup, SetWindowsHookExA, PeekMessageA, IsWindowVisible, ValidateRect, CallNextHookEx, GetKeyState, GetNextDlgTabItem, SetMenuItemBitmaps, ModifyMenuA, GetMenuCheckMarkDimensions, GetWindowPlacement, SystemParametersInfoA, IntersectRect, OffsetRect, RegisterWindowMessageA, GetMessagePos, GetMessageTime, RemovePropA, GetPropA, SetPropA, GetClassLongA, GetDlgCtrlID, GetWindowTextLengthA, SetWindowPlacement, TrackPopupMenu, GetMenuItemID, GetSubMenu, GetMenuItemCount, GetClassInfoA, WinHelpA, GetCapture, IsChild, GetTopWindow, SetScrollPos, SetScrollRange, GetScrollRange, ShowScrollBar, ScrollWindow, EndDeferWindowPos, BeginDeferWindowPos, DeferWindowPos, EqualRect, AdjustWindowRectEx, SetActiveWindow, MapWindowPoints, GetDlgItemInt, SetDlgItemInt, ScrollWindowEx, IsDialogMessageA, GetSysColorBrush, ClientToScreen, GetWindowDC, TabbedTextOutA, GrayStringA, ShowOwnedPopups, InsertMenuA, DeleteMenu, GetMenuStringA, GetScrollInfo, BeginPaint, EndPaint, ScreenToClient, GetDlgItem, SetRect, CreateDialogParamA, DialogBoxParamA, GetParent, DrawTextA, CallWindowProcA, PostQuitMessage, SetWindowLongA

> GDI32.dll: SetMapMode, Pie, GetTextColor, GetBkColor, Rectangle, FloodFill, GetBitmapBits, CreateDiscardableBitmap, CreateBitmapIndirect, CreatePenIndirect, CreatePen, CreateBrushIndirect, GetNearestColor, CreateFontA, CreateCompatibleBitmap, CreateSolidBrush, RoundRect, GetDeviceCaps, CreateRoundRectRgn, GetTextExtentPoint32A, CreatePolygonRgn, CreateEllipticRgn, GetStockObject, CreateBitmap, SetBkColor, StretchBlt, DeleteDC, MoveToEx, LineTo, CreateFontIndirectA, SetTextColor, TextOutA, GetObjectA, GetDIBits, CreatePalette, CreateCompatibleDC, SetBkMode, CreateDIBSection, SelectObject, DeleteObject, SelectPalette, RealizePalette, SetDIBitsToDevice, BitBlt, GetDCOrgEx, GetClipBox, StartDocA, SaveDC, RestoreDC, SetPolyFillMode, SetROP2, SetStretchBltMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, OffsetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, OffsetClipRgn, SetTextAlign, SetTextJustification, SetTextCharacterExtra, SetMapperFlags, GetCurrentPositionEx, ArcTo, SetArcDirection, PolyDraw, PolylineTo, SetColorAdjustment, PolyBezierTo, GetClipRgn, CreateRectRgn, SelectClipPath, ExtSelectClipRgn, Escape, ExtTextOutA, RectVisible, PtVisible, CreateDIBPatternBrushPt, CreatePatternBrush, CreateHatchBrush, ExtCreatePen, GetWindowExtEx, GetViewportExtEx, PlayMetaFile, EnumMetaFile, GetObjectType, PlayMetaFileRecord

> ADVAPI32.dll: RegOpenKeyA, RegDeleteValueA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegSetValueExA, RegCreateKeyA, RegQueryValueExA, RegDeleteKeyA

> SHELL32.dll: SHAppBarMessage, SHChangeNotify, ShellExecuteA, SHGetMalloc, SHGetSpecialFolderLocation, SHBrowseForFolderA, SHGetFileInfoA, DragAcceptFiles, ShellExecuteExA, SHGetPathFromIDListA

> ole32.dll: CoCreateGuid, StringFromGUID2, OleInitialize, OleUninitialize, CreateStreamOnHGlobal, CoUninitialize, CoInitialize, CoCreateInstance

> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -

> COMCTL32.dll: -, _TrackMouseEvent, ImageList_Destroy, ImageList_GetImageCount, ImageList_Add, ImageList_Create, ImageList_Draw, InitCommonControlsEx, FlatSB_SetScrollProp

> WS2_32.dll: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -

> NETAPI32.dll: Netbios

> MSIMG32.dll: GradientFill

> WININET.dll: HttpSendRequestA, InternetQueryDataAvailable, InternetReadFile, InternetSetFilePointer, InternetCloseHandle, InternetOpenA, InternetSetOptionA, InternetOpenUrlA, InternetCheckConnectionA, InternetConnectA, HttpQueryInfoA, HttpOpenRequestA

> WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter

> comdlg32.dll: GetFileTitleA

( 0 exports )

[JeanInMontana]

Geez sorry about the delay here, I didn't see a reply notice for this, and I've been uber busy. What is the last part of the post from VT? Let's see a new HJT log and tell me what's going on with the system please.

[JeanInMontana]

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic.

Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.