pos*.tmp files in c:// and my documents.. and ads served by decads popups

[ashb920]

Malwarebytes' Anti-Malware 1.04

Database version: 376

Scan type: Quick Scan

Objects scanned: 25248

Time elapsed: 4 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:20:28 AM, on 6/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-21-507921405-1202660629-725345543-1004\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User '?')

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 6333 bytes

[1972vet]

Greetings ashb920 and Welcome to the Forum!

Please read and follow These Instructions...then post those requested logs back when you finish. Thanks!

[ashb920]

Malwarebytes' Anti-Malware 1.17

Database version: 846

2:28:11 AM 6/11/2008

mbam-log-6-11-2008 (02-28-11).txt

Scan type: Quick Scan

Objects scanned: 39470

Time elapsed: 8 minute(s), 29 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\blphc19pj0ec49.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\youtubex.dll (Trojan.Agent) -> Quarantined and deleted successfully.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2008-06-11 03:59:08

PROTECTIONS: 0

MALWARE: 11

SUSPECTS: 0

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00139535 Application/Processor HackTools No 0 No No C:\SDFix.exe[sDFix\apps\Process.exe]

00139535 Application/Processor HackTools No 0 Yes No C:\WINDOWS\system32\Process.exe

00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Ashish\Desktop\SmitfraudFix\SmitfraudFix\Process.exe

00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Ashish\Desktop\SmitfraudFix\Process.exe

00139535 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Ashish\Desktop\SDFix\apps\Process.exe

00139535 Application/Processor HackTools No 0 No No C:\Documents and Settings\Ashish\Desktop\SDFix\SDFix.exe[sDFix\apps\Process.exe]

00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.yadro.ru/]

00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.yadro.ru/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.realmedia.com/]

00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.realmedia.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.adultfriendfinder.com/]

00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Ashish\Application Data\Mozilla\Firefox\Profiles\znkhw4fi.default\cookies.txt[.adultfriendfinder.com/]

01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP247\A0025419.exe[327882R2FWJFW\NirCmdC.cfexe]

02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Ashish\Desktop\SmitfraudFix\Reboot.exe

02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes No C:\Documents and Settings\Ashish\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe

02905717 Adware/Zango Adware No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP139\A0014144.exe

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP192\A0019031.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP211\A0022155.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP211\A0022193.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP212\A0022323.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No J:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022620.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP212\A0022358.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022368.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No J:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP212\A0022360.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No J:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP212\A0022325.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No J:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP211\A0022195.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022618.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No J:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP211\A0022157.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022632.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No J:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP193\A0019038.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP232\A0023579.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No J:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP192\A0019033.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP193\A0019036.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No J:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022634.inf

02994214 W32/Lineage.IOS.worm Virus/Worm No 0 Yes No J:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP247\A0025580.inf

02998247 W32/Lineage.IPT.worm Virus/Worm No 0 Yes No C:\Documents and Settings\Ashish\Local Settings\Temp\fuc.dll

03042127 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022381.exe

03042127 Adware/MalwareProtector2008 Adware No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP246\A0025239.exe

03053495 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022372.scr

03053495 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP212\A0022355.scr

03053495 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022658.scr

03053495 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022629.scr

03053495 Adware/VapSup Adware No 0 Yes No C:\System Volume Information\_restore{28C57A62-A5C2-49E9-BB09-A56CAAEB50E2}\RP213\A0022615.scr

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location M

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description M

;===============================================================================

================================================================================

=

===================

184380 MEDIUM MS08-002 M

184379 MEDIUM MS08-001 M

182048 HIGH MS07-069 M

182046 HIGH MS07-067 M

182043 HIGH MS07-064 M

179553 HIGH MS07-061 M

176382 HIGH MS07-057 M

176383 HIGH MS07-058 M

170911 HIGH MS07-050 M

170907 HIGH MS07-046 M

170906 HIGH MS07-045 M

170904 HIGH MS07-043 M

164915 HIGH MS07-035 M

164913 HIGH MS07-033 M

164911 HIGH MS07-031 M

160623 HIGH MS07-027 M

157262 HIGH MS07-022 M

157261 HIGH MS07-021 M

157260 HIGH MS07-020 M

157259 HIGH MS07-019 M

156477 HIGH MS07-017 M

150253 HIGH MS07-016 M

150249 HIGH MS07-013 M

150248 HIGH MS07-012 M

150247 HIGH MS07-011 M

150243 HIGH MS07-008 M

150242 HIGH MS07-007 M

150241 MEDIUM MS07-006 M

141034 HIGH MS06-076 M

141033 MEDIUM MS06-075 M

141030 HIGH MS06-072 M

137571 HIGH MS06-070 M

137568 HIGH MS06-067 M

133387 MEDIUM MS06-065 M

133386 MEDIUM MS06-064 M

133385 MEDIUM MS06-063 M

133379 HIGH MS06-057 M

131654 HIGH MS06-055 M

129977 MEDIUM MS06-053 M

129976 MEDIUM MS06-052 M

126093 HIGH MS06-051 M

126092 MEDIUM MS06-050 M

126087 HIGH MS06-046 M

126086 MEDIUM MS06-045 M

126083 HIGH MS06-042 M

126082 HIGH MS06-041 M

126081 HIGH MS06-040 M

123421 HIGH MS06-036 M

123420 HIGH MS06-035 M

120825 MEDIUM MS06-032 M

120823 MEDIUM MS06-030 M

120818 HIGH MS06-025 M

120815 HIGH MS06-022 M

120814 HIGH MS06-021 M

114666 HIGH MS06-015 M

114664 HIGH MS06-013 M

108744 MEDIUM MS06-008 M

108743 MEDIUM MS06-007 M

108742 MEDIUM MS06-006 M

104567 HIGH MS06-002 M

104237 HIGH MS06-001 M

96574 HIGH MS05-053 M

93394 HIGH MS05-050 M

93454 MEDIUM MS05-049 M

;===============================================================================

================================================================================

=

===================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:00:21 AM, on 6/11/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\BitComet\BitComet.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\Spyware Doctor\pctsGui.exe

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-21-507921405-1202660629-725345543-1004\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User '?')

O4 - S-1-5-18 Startup: IEXPLORE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User '?')

O4 - .DEFAULT Startup: IEXPLORE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User 'Default user')

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 6763 bytes

[1972vet]

You have some troublesome cookies that linger, and there are malware which have attached themselves to your restore points in the "System Restore" feature. We'll remove those restore points only AFTER we're convinced that your system has been thoroughly cleaned.

Your Avast antivirus software services are running but the application doesn't seem to start when Windows starts. Is this a configuration that you have set intentionally? If so, it's NOT recommended. If indeed the software was disabled by the malicious software you had (and may still have) on the system, it may be necessary to reinstall the software...let's see what the next log looks like though before we go tampering with it but keep in mind, we would like to know if you intentionally removed the Avast Antivirus from startup.

We've also noticed that there are some lingering services/processes that were left over from a failed Symantec uninstall... You can use their Removal Tool to completely dissolve the remnants left behind from a failed install/uninstall or damaged Symantec product.

Your Java application is out of date and causes a slight security risk as a result. This vulnerability combined with the use of file sharing software is most likely the combination of events that is responsible for your current malware issues...

Please follow these steps to remove older version Java components

1. Close any open programs you may have running, especially your web

browser.

2. Click Start-->Control Panel-->Add or Remove Programs.

3. Click once on any item listing Java Runtime Environment in the name (to highlight it) then click the "Remove" or "Change/Remove" button.

Not every version of Java will begin with "Java" so be sure to read each entry in the list.

Repeat step 3 as many times as necessary to remove all versions of Java.

**If you are asked to reboot at any point during the uninstallations, please do so. Then go back to Add/Remove and continue with the rest of the removals...when finished uninstalling all of them, reboot the computer.

4. Navigate to and delete:

• C:\Program Files\Java <=this folder if found
  

5. Then go to this page.

Scroll down to where it says "The Java Runtime Environment (JRE) allows end-users to run Java applications" and click the "Download" button to the right. Select the platform for "Windows".

6. Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement", then click Continue...The page will refresh

Then, click on the link to download Windows Offline Installation. Save it to your desktop.

Now, from your desktop, double-click on the executable to install the newest version.

Click here for information regarding the risks of using File Sharing software.

Please uninstall the following software:

BitComet

BitCometTools

BitComet ToolBar

...or anything with BitComet in it's name

Click start-->Control Panel-->Add/Remove Programs...scroll down the list to locate the program names and click Remove for each. Reboot the system when the uninstalls complete to properly record the changes made to the hard disk.

The following startup entries noted in the HijackThis log are suspicious only because of the upper case (CAPITAL) letters used in the spelling of the file "IEXPLORE.EXE" but the file path is correct:

O4 - S-1-5-18 Startup: IEXPLORE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User '?')

O4 - .DEFAULT Startup: IEXPLORE.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User 'Default user')

...the file path should appear as such:

C:\Program Files\Internet Explorer\iexplore.exe

I don't suspect that you've done this but as with your Avast anti-virus, the question should still be asked...if you did NOT change the spelling of that file (to use the upper case letters) then you should upload this file for a free scan.

Please visit this site. Navigate to the file indicated below in Bold and upload the file for a free scan:

C:\Program Files\Internet Explorer\IEXPLORE.EXE

If you're unsure how to do that, follow the instructions below:

1. Click in the "Upload a file" box to put the cursor there then click the Browse button next to it.
   
2. In the File Upload window that opens, click the drop down arrow in the "Look in" box and select your Local Disk.
   
3. Click the "Program Files" folder and click "Open", use the scroll bar to scroll across and locate the "Internet Explorer" folder.
   
4. Scroll across until you locate the file IEXPLORE.EXE and click open.
   
5. Now click the Send button. Please copy the "Results" to submit with your next reply.
   

You can run HijackThis again and check the box next to the following entries that may still exist:

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll

O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

Now close all open windows except for the HijackThis application's window...(that includes this browser window), then click the Fix Checked button.

Locate and delete the following files/folders indicated below in Bold text:

C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll

C:\Program Files\Common Files\Symantec Shared

Reboot the system and post back a fresh HijackThis log along with the results log from your "VirusTotal" scan. Also, please advise us how the system behaves for you now. Thanks!

[ashb920]

hiii .. umm no i didnt intentially diable the software to not come up when windows starts .. how do i change that.. and the bitcomet you said to delete? but i use it to download movies annd things .. i still have to delete it?

[1972vet]

.. umm no i didnt intentially diable the software to not come up when windows starts .. how do i change that..

You may have to reinstall the software but...maybe not. Once we are convinced that the malicious software has all been removed it is possible that your antivirus may return. We'll see after you've completed the instructions posted for you previously

and the bitcomet you said to delete? but i use it to download movies annd things .. i still have to delete it?

Considering that the BitComet may well be largely responsible for your current malware issues, I would say YES you should remove it. And please note, I had said to uninstall it, not to delete it. There is a huge difference...by the way, if you do use it to download "movies and things" from some shared folder uploaded to the web, the download is a copyright infringement. You CAN be fined and do jail time in some instances for such violations.

[ashb920]

ohh seriously i did not know that.. and yess i ment uninstall not delete .. sorry .. and yess ill be sure to uninstall it right away and i will and do all the instrustions stated previously and i will post a log again .. thank you for letting me know this tho

[ashb920]

hey so i did all the information provided and the IEXPLORER i did rename myself so thers nothing to worry about there.

bitcomet should be all gone now .. and also the symantic stuff..

as for the pos*.temp .. they are all gone ..

the only problem i am currently having is that the security updates will not download for some reason .. everytime the ballon in the syestem tray at the bottom right pops up .. i open it .. i try the automatic scan and the custom scan .. it goes downloading .. and then after 2 3 seconds it says failed cannot install updates.. how would i fix that ?? is there even a way?

i know i can download them manually but its hard to look for .. and i dont know what to download ..

if you can help me fix this problem i would appriciate it .. thanx for all the help so far ..

here is my hjk this log .. and the antivirus didnt leave a log .. but nothing was found exept for this one music file which i deleted ..

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:39:30 AM, on 6/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKUS\S-1-5-21-507921405-1202660629-725345543-1004\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User '?')

O4 - S-1-5-18 Startup: iexplorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User '?')

O4 - .DEFAULT Startup: iexplorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 6553 bytes

[1972vet]

I see nothing left in the log that's malicious. Your on board Avast antivirus is still disabled evidently. Open the application and navigate through it's preferences/options to see if you can select an option that allows it to run when Windows starts. If so, reboot immediately after you've configured it correctly. Run your hjt utility again and look in the section that lists all of the "O4" entries. Does Avast appear there? If not, download a fresh copy and reinstall the application over itself...this will repair the installation. Use the default settings. On your next reply I would expect to see your Avast antivirus running properly.

The remnant left over from the Symantec uninstall is still there...let's do this:

Copy and paste the following into a blank NotePad:

sc stop CLTNetCnService

sc delete CLTNetCnService

Click File-->Save as and name the file delservice.bat

Under "Save as type" Select "all files" and save it to your Desktop.

Double-click the delservice.bat file on your Desktop. It will appear as though nothing has happened but that's expected. Delete the .bat file and Reboot the system.

Next, please run hijackthis again and check this entry:

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

Close all windows before clicking the Fix Checked button. Reboot.

When the system comes back up, click start-->Run...then type CMD in the run box and click "OK" or hit your enter key.

At the command prompt, copy and paste the following then press your enter key:

net start > junk

net start > junk

notepad junk

Please post back the content of the notepad file that opened for you along with a fresh HijackThis log and, if you will, please answer my questions below. Thanks!

I have some questions for you now...I am always interested to learn something new...why would you want to do these two things:

1) Rename your Internet Explorer to use all capital letters

2) Have your Internet Explorer running on system startup

[ashb920]

These Windows services are started:

Automatic Updates

avast! Antivirus

avast! iAVS4 Control Service

avast! Mail Scanner

avast! Web Scanner

Background Intelligent Transfer Service

Bluetooth Support Service

Capture Device Service

COM+ Event System

Creative Service for CDROM Access

Cryptographic Services

Cyberlink RichVideo Service(CRVS)

DCOM Server Process Launcher

DHCP Client

Distributed Link Tracking Client

DNS Client

Error Reporting Service

Event Log

Fast User Switching Compatibility

Help and Support

HID Input Service

IPSEC Services

LightScribeService Direct Disc Labeling Service

Network Connections

Network Location Awareness (NLA)

PLFlash DeviceIoControl Service

Plug and Play

Print Spooler

Protected Storage

Remote Access Connection Manager

Remote Procedure Call (RPC)

Secondary Logon

Security Accounts Manager

Server

Shell Hardware Detection

SSDP Discovery Service

System Event Notification

System Restore Service

Task Scheduler

TCP/IP NetBIOS Helper

Telephony

Terminal Services

Themes

Ulead Burning Helper

WebClient

Windows Audio

Windows Driver Foundation - User-mode Driver Framework

Windows Image Acquisition (WIA)

Windows Time

Wireless Zero Configuration

Workstation

The command completed successfully.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:50:02 PM, on 6/15/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\Program Files\CyberLink\Shared files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--

End of file - 5972 bytes

there was no 03-toolbar file thing to delete ..

umm and to answer your questions

the reason i renamed my internet explorer to use all capitals is because..

i currently always use mozilla firefox and therfore i had deleted the shortcut to internet explorer in the start menu .. and interent explorer use to be in start.. programs .. setup folder.. but it was no longer there and i couldnt delete the setup folder in the programs menu so .. when i needed to use internet explorer to use some programs like panda active scan .. cause i couldnt use it in mozilla.. i had to look for internet explorer and i couldnt find it .. so i searched for interenet exploreer and it would take forever .. so what i did was when it was found i dragged and droped the internet explore icon into the start menu programs setup folder .. and the name was something like iinternet explorer basic something something .. and it was so long .. so i renamed it IEXPLORER .. now there was no particular reason for putting caps .. but i changed it to lowecase now ..

kk so that pretty much answers question 1

now question 2. u asked y do i have my iexplorer running on system startup ..

well i didnt even know i had iexplorer running on startup .. and when i start the computer up the iexplorer doesnt come up .. so ther was no way of me even knowing this .. hmm how would i disable that from happening?

[1972vet]

Now that's a good looking log you got there...

Your Internet Explorer was copied from the wrong location. You should be able to locate the file here:

C:\Program Files\Internet Explorer\iexplore.exe

...just right-click on the file iexplore.exe and select from the menu:

Send to-->Desktop (create shortcut)

Additionally, if you want to put a copy of the file back onto your start menu so that it's available when you click start-->All Programs...then please do this:

• Click Start.
  
• Open My Computer.
  
• Select the Tools menu and click Folder Options.
  
• Select the View Tab.
  
• Under the Hidden files and folders heading select
  Show hidden files and folders.
  
• Uncheck the "Hide protected operating system files
  (recommended) option.
  
• Click Yes to confirm.
  
• Click OK.
  

Next, navigate to:

C:\Documents and Settings\{Your User Account Name}\Start Menu\Programs

...now you can drag a copy of the file shortcut you created earlier to this folder. Return to the above instructions regarding the "Hide protected operating system files (recommended)" and place a check in the box. Likewise, remove the check now from "Show hidden files and folders".

The entries that showed us your Internet Explorer running on startup were in your previous log here:

O4 - S-1-5-18 Startup: iexplorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User '?')

O4 - .DEFAULT Startup: iexplorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE (User 'Default user')

...so I believe what you meant to say was you dropped it into the "Startup" folder. I believe what you were trying to do is exactly what I detailed above in the instructions on how to place the file into your "Start Menu". The last log you've posted now shows that the entries are no longer present in the "Startup" folder.

How's it running for you now?

[ashb920]

heyy everything is running lovely now .. i even got the updates to work .. this guy helped me get the updates to work and he also got the iexplorer thingi to work properly now its not even in the hjk log .. so hmm ide like to thank you for all of your help .. i would like to post one last log of everything so you can check if everything is running A oKAY .. what should i post ..?? just a hjk log?

[1972vet]

everything is running lovely now...i even got the updates to work...i would like to post one last log of everything so you can check if everything is running A oKAY

No need to post another log. Your last log looked fine. To assist you with your Windows Update issue should it ever occur again, download the "Dial_a_fix" utility Here.

Now that your system is clean and running the way you expect, let's first remove all of your old system restore points since they would include the infections that you've removed.

Click start-->Control Panel-->System-->System Restore...Check the box Turn off System Restore on all drives then click "Apply" and "OK" to close the System Properties box. Reboot the system. When the desktop appears stable, return to the System Properties box "System Restore" tab. Remove the check from Turn off System Restore on all drives". In a blink, the system will have created a new clean restore point for you and named it "System Check Point".

Now highlight the drive letter in the Available drives section then click the Settings button (If you have only one drive then just click the ["Settings" button). Move the slider over to the left until the Disk space to use: reads as close to 500 MB's without going over 500 MB's. This will free up quite a bit of Disk space for you. Having System Restore set at or as close to 500MB's as possible (without going over that amount) will create plenty of System Restore points and is more than sufficient.

Now we need to create a new restore point that you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

• Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.

• Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.

• Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:

Sunbelt Personal Firewall

Zone Alarm

Outpost Free

Comodo

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?

Regards, and Happy Surfing!

[JeanInMontana]

Thanks 1972vet for your excellent assistance.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.