constant pop-ups, constantly new spyware/trojans

[Holbens]

I accidentally downloaded an executable file that was allegedly a windows media player update and I got a message from my CA antivirus realtime moniter that i did something stupid. Ever since then I have been getting popups about once every two minutes and everytime i run AdAware and my antivirus software, it comes up with a few (like 3 or so) trojans/spyware and a bunch of items come up in AdAware (like 50). I read the instructions on how to defend myself before posting this thread and I think I have limited the malware from entering my computer, but the ads still pop up based on what I am viewing on the internet. I have gone through so many new programs that I can't be much more specific because it seems like everytime i run something it dectets something different. Below is my log file from dss.exe and attched is another copy and a copy of the Panda report. Thanks so much for your help!
Holbens

"
Deckard's System Scanner v20070328.36
Run by Scott Holben on 2007-04-11 at 14:15:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Scott Holben.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:16:10 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\M-Audio\Transit\Install\TUSBInst.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\1XConfig.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Scott Holben\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\SCOTTH~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3221c23f-0c90-4ad8-a239-f1e5a952c6b9} - C:\WINNT\system32\adsc40.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {D38439EC-4A7F-42b4-90C2-D810D7778FDD} - C:\WINNT\system32\tmp38.tmp.dll (file missing)
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...S_ZNxmk14847US
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://0-site.ebrary.com.nell.boulde.../ebraryRdr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: adsc40 - C:\WINNT\SYSTEM32\adsc40.dll
O20 - Winlogon Notify: Sebring - c:\WINNT\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: M-Audio Transit Installer (TransitInstallerService) - M-Audio - C:\Program Files\M-Audio\Transit\Install\TUSBInst.exe


-- Files created between 2007-03-11 and 2007-04-11 -----------------------------

2007-04-10 18:37:17 0 d-------- C:\WINNT\network diagnostic<NETWOR~1>
2007-04-09 23:38:19 0 d-------- C:\Program Files\Zoned OUt<ZONEDO~1>
2007-04-09 23:27:24 0 d-------- C:\ie-spyad
2007-04-09 23:17:38 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-04-09 23:12:10 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-04-09 19:44:48 0 d-------- C:\WINNT\system32\ActiveScan<ACTIVE~1>
2007-04-07 21:44:18 0 d-------- C:\Program Files\AIM6
2007-04-05 17:22:53 0 d-------- C:\Documents and Settings\Guest\Application Data\WinPatrol<WINPAT~1>
2007-04-04 20:12:20 552 --a------ C:\WINNT\system32\d3d8caps.dat
2007-04-04 19:30:13 0 d-------- C:\WINNT\CSC
2007-03-22 22:03:53 1374 --a------ C:\WINNT\system32\tmp.reg
2007-03-22 22:03:22 79360 --a------ C:\WINNT\system32\swxcacls.exe
2007-03-22 22:03:22 40960 --a------ C:\WINNT\system32\swsc.exe
2007-03-22 22:03:22 135168 --a------ C:\WINNT\system32\swreg.exe
2007-03-22 22:03:22 288417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-03-22 22:03:22 53248 --a------ C:\WINNT\system32\Process.exe
2007-03-22 22:03:22 51200 --a------ C:\WINNT\system32\dumphive.exe
2007-03-20 20:16:31 0 d-------- C:\WINNT\DE187864A381460288231024D4CE4370.TMP<DE1878~1.TMP>
2007-03-20 20:12:12 445440 --a------ C:\wmplayer.dll
2007-03-20 20:12:07 235008 --a------ C:\WINNT\system32\update06281259.exe<UPDATE~3.EXE>
2007-03-20 20:12:05 40008 --a------ C:\WINNT\system32\update92620748.exe<UPDATE~1.EXE>
2007-03-20 19:56:53 0 d-------- C:\Documents and Settings\Scott Holben\Application Data\WinPatrol<WINPAT~1>
2007-03-20 19:43:17 0 d-------- C:\Program Files\PCPitstop<PCPITS~1>
2007-03-14 14:14:44 19651 --a------ C:\WINNT\system32\adsc40.dll
2007-03-14 14:14:43 27096 --a------ C:\WINNT\system32\nnnkj.exe
2007-03-14 14:09:42 8171 --a------ C:\WINNT\system32\byxywtt.dll
2007-03-13 20:56:58 0 d-------- C:\Program Files\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2007-04-09 20:30:48 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-04-09 20:29:09 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-04-09 20:26:57 0 d-------- C:\Program Files\iTunes
2007-04-07 21:47:15 0 d-------- C:\Documents and Settings\Scott Holben\Application Data\Viewpoint<VIEWPO~1>
2007-04-07 21:44:58 0 d-------- C:\Program Files\Viewpoint<VIEWPO~1>
2007-04-04 21:32:48 0 d-------- C:\Program Files\Microsoft.NET<MICROS~1.NET>
2007-04-04 21:28:05 0 d-------- C:\Program Files\Design Science<DESIGN~1>
2007-04-04 21:26:33 0 d-------- C:\Program Files\Java
2007-03-22 00:20:31 0 d---s---- C:\Documents and Settings\Scott Holben\Application Data\Microsoft<MICROS~1>
2007-03-20 20:22:10 0 d-------- C:\Program Files\Common Files\AOL
2007-03-20 20:14:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-20 19:49:42 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-17 06:43:01 292864 --a------ C:\WINNT\system32\winsrv.dll
2007-03-13 20:57:06 0 d-------- C:\Documents and Settings\Scott Holben\Application Data\Lavasoft
2007-03-08 08:36:28 577536 --a------ C:\WINNT\system32\user32.dll
2007-03-08 08:36:28 40960 --a------ C:\WINNT\system32\mf3216.dll
2007-03-08 08:36:28 281600 --a------ C:\WINNT\system32\gdi32.dll
2007-03-08 06:47:48 1843584 --a------ C:\WINNT\system32\win32k.sys
2007-02-05 13:17:02 185344 --a------ C:\WINNT\system32\upnphost.dll
2007-01-19 12:53:04 51056 --a------ C:\WINNT\system32\sirenacm.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=""
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\WinPatrol.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\adsc40
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-11 at 14:16:34 ---------
"

[forhockey]

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

Please be patient with me during this time.

[forhockey]

Please save these instructions to Notepad as the internet will not be available to you at certain points of the removal process.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below.
Make sure to work through all the Steps in the exact order in which they are listed below.
If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

The cleaning process is not instant. Please follow through to the end until I tell you your machine is clear.
The absence of symptoms does not mean that everything is clean.

Please make every effort to reply to my posts in a timely manner. Malware spreads quickly, and the longer an infection remains on a system, increases the llikelihood of any additional infections coming into your computer.

---------------------------------------------------------------------------------------------

P2P Software

P2P - I see you have P2P software Warez P2P Client installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

---------------------------------------------------------------------------------------------

Disable Spywareguard

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.

• Right click the running icon of Spywareguard located in the system tray
• Go to Menu > File > Exit and confirm the programs close.

Disable WinPatrol

Please disable WinPatrol, as it may hinder the removal of some entries.

• Right click the running icon of WinPatrol located in the system tray
• Go to Menu > File > Exit and confirm the programs close.

It will automatically restart at next boot.

---------------------------------------------------------------------------------------------

Download combofix from here

**Save it directly to your desktop**

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

A log will be produced that will ultimately be named C:\ComboFix.txt I'll need that in your next reply.

---------------------------------------------------------------------------------------------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

• Install AVG Anti Spyware
• Double-click the icon on Desktop to launch AVG
• On the top of the main screen click Shield
• Click the word active to change it to inactive
• On the top of the main screen click Update.
• Then click on Start Update. The update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------------------------------------------------------------------------------------------

Please download the ISTBar removal tool from Symantec into it's own folder. Do not run it yet.

---------------------------------------------------------------------------------------------

Enter Safe Mode

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
3. Instead of Windows loading as normal, a menu should appear
4. Use the up arrow key to highlight Safe Mode and press Enter.
5. Login with your usual account
6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

---------------------------------------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

MyWebSearch


---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: (no name) - {3221c23f-0c90-4ad8-a239-f1e5a952c6b9} - C:\WINNT\system32\adsc40.dll (file missing)
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...S_ZNxmk14847US
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...tup1.0.0.8.cab
O20 - Winlogon Notify: adsc40 - C:\WINNT\SYSTEM32\adsc40.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

---------------------------------------------------------------------------------------------

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINNT\system32\d3d8caps.dat
  C:\WINNT\DE187864A381460288231024D4CE4370.TMP
  C:\wmplayer.dll
  C:\WINNT\system32\update06281259.exe
  C:\WINNT\system32\update92620748.exe
  C:\WINNT\system32\nnnkj.exe
  C:\WINNT\system32\byxywtt.dll
  c:\documents and settings\all users\start menu\programs\startup\MyWebSearch Email Plugin.lnk
  c:\winnt\downloaded program files\ATPartners.inf
  c:\winnt\downloaded program files\f3initialsetup1.0.0.8-2.inf
  c:\winnt\system32\in10b6s.dll
  c:\winnt\system32\saie321.dll
  C:\Documents and Settings\Scott Holben\Application Data\tvmknwrd.dll
  C:\WINNT\system32\GoGo9CP.dll
  C:\WINNT\system32\vm_d.dll
  C:\WINNT\system32\vm_d.exe
  C:\Program Files\MyWebSearch
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

---------------------------------------------------------------------------------------------

C:\Program Files\Warez P2P Client\ - The panda scan picked up Spyware:Spyware/New.net. I would recommend uninstalling this program and deleting this folder.

---------------------------------------------------------------------------------------------

Please run the ISTBar removal tool

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------

Restart your computer in Normal Mode

---------------------------------------------------------------------------------------------

I have attached a file to this post - Holbens.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

---------------------------------------------------------------------------------------------

Please download and run FindAWF

When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

---------------------------------------------------------------------------------------------

Please include the following in your next reply:

C:\Deckard\System Scanner\extra.txt - Attached Please
C:\ComboFix.txt
AVG Anti-Spyware Log
awf.txt

[Holbens]

Thank you so much for your help. I did run into a few little glitches but hopefully they won't pose a problem. Included is the afw.txt and attached are:
C:\ComboFix.txt
AVG Anti-Spyware Log
awf.txt


I was instructed to add the extra.txt file from the Deckard System Scan. I ran the scan twice before i posted the original thread and so now there is no extra.txt file in C:/Deckard/System Scan. Instead there is one main.txt file and two folders with very long sets of numbers each containing another main.txt file. I wasn't sure if I should run the DSS application again, and you have the main.txt file in the above post.

I was also instructed to remove MyWebSearch from the program files and it is either not listed or not a program on my computer.

When I ran MoveIt.exe, one of the files could not move over for some reason. I didn't want to run the program again and i can't remember which file it was or why it wouldn't move.

The AVG spyware program also had a little issue with one file and that should be in the report attached.

When I ran the ComboFix the computer restarted which I believe it is supposed to but it didn't leave the c:/ComboFix.txt file behind. I ran it again at the very end of the process and it didn't need to restart and did leave a .txt file behind so I will attach that.

the Itsbar application didn't find the file it was looking for which I believe is a good thing.

There were so many steps I hope I mentioned everything that is going on.
Thanks so much for your help! Let me know what you see when you get to look through the reports.

"

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

06-09-25 13:54 229,952 iTunesHelper.exe
1 File(s) 229,952 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06-09-24 02:24 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINNT\SYSTEM32\BAK

01-07-09 02:50 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

03-03-30 19:00 327,680 atiptaxx.exe
1 File(s) 327,680 bytes

Directory of C:\PROGRA~1\BILLPS~1\WINPAT~1\BAK

04-12-09 21:12 140,480 winpatrol.exe
1 File(s) 140,480 bytes

Directory of C:\PROGRA~1\CA\ETRUST~1\BAK

04-04-06 16:14 504,080 realmon.exe
1 File(s) 504,080 bytes

Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK

03-05-08 10:00 49,152 OpwareSE2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\SYGATE\SPF\BAK

04-08-13 18:05 2,532,576 smc.exe
1 File(s) 2,532,576 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

03-02-14 11:35 630,784 SynTPEnh.exe
03-02-14 11:37 114,688 SynTPLpr.exe
2 File(s) 745,472 bytes

Directory of C:\WINNT\ASSEMBLY\NATIVE~1.507\SBAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\INTEL\NCS\PROSET\BAK

03-12-23 09:42 86,016 PRONoMgr.exe
1 File(s) 86,016 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

06-11-09 15:07 49,263 jusched.exe
1 File(s) 49,263 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

229952 Sep 25 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 5 2006 "C:\WINNT\Installer\{5878FF02-3B8F-4309-B4E5-0D3DB6F2E8E6}\iTunesIco.exe"
108096 Sep 25 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.1.8\iTunesSetupAdmin.exe"
282624 Sep 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Jul 9 2001 "C:\WINNT\system32\bak\NeroCheck.exe"
327680 Mar 30 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
267840 Feb 12 2007 "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
140480 Dec 9 2004 "C:\Program Files\BillP Studios\WinPatrol\bak\winpatrol.exe"
40960 Aug 26 2004 "C:\WINNT\Installer\{99747F0D-D4F8-4877-9CA0-4AE96D963633}\Realmon.exe"
504080 Apr 6 2004 "C:\Program Files\CA\eTrust Antivirus\bak\realmon.exe"
49152 May 8 2003 "C:\Program Files\ScanSoft\OmniPageSE2.0\bak\OpwareSE2.exe"
2577632 Oct 15 2004 "C:\Program Files\Sygate\SPF\Smc.exe"
2532576 Aug 13 2004 "C:\Program Files\Sygate\SPF\bak\smc.exe"
630784 Feb 14 2003 "C:\OEMDRVRS\SYNTPENH.EXE"
630784 Feb 14 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
114688 Feb 14 2003 "C:\OEMDRVRS\SYNTPLPR.EXE"
114688 Feb 14 2003 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
15360 Jan 11 2007 "C:\WINNT\assembly\NativeImages_v2.0.50727_32\SBAK\d87f862237a37a46858697c6c32f413d\SBAK.ni.dll"
86016 Dec 23 2003 "C:\Program Files\Intel\NCS\PROSet\bak\PRONoMgr.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"


end of report
"

[forhockey]

The extra.txt should be located in the folder with numbers.

Can you post the log which is located here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

[Holbens]

I could not find the extra.txt file. I tried to run dss.exe again and came up with another main.txt. I have included it in an attachment along with the MoveIt log.

Deckard's System Scanner v20070328.36
Run by Scott Holben on 2007-04-13 at 19:00:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Scott Holben.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:00:40 PM, on 4/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\1XConfig.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\M-Audio\Transit\Install\TUSBInst.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\notepad.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott Holben\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\SCOTTH~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://0-site.ebrary.com.nell.boulde.../ebraryRdr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: Sebring - c:\WINNT\System32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: M-Audio Transit Installer (TransitInstallerService) - M-Audio - C:\Program Files\M-Audio\Transit\Install\TUSBInst.exe


-- Files created between 2007-03-13 and 2007-04-13 -----------------------------

2007-04-13 00:14:01 3968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-04-10 18:37:17 0 d-------- C:\WINNT\network diagnostic<NETWOR~1>
2007-04-09 23:38:19 0 d-------- C:\Program Files\Zoned OUt<ZONEDO~1>
2007-04-09 23:27:24 0 d-------- C:\ie-spyad
2007-04-09 23:17:38 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~2>
2007-04-09 23:12:10 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-04-09 19:44:48 0 d-------- C:\WINNT\system32\ActiveScan<ACTIVE~1>
2007-04-07 21:44:18 0 d-------- C:\Program Files\AIM6
2007-04-05 17:22:53 0 d-------- C:\Documents and Settings\Guest\Application Data\WinPatrol<WINPAT~1>
2007-04-04 19:30:13 0 d--hs---- C:\WINNT\CSC
2007-03-22 22:03:53 1374 --a------ C:\WINNT\system32\tmp.reg
2007-03-22 22:03:22 79360 --a------ C:\WINNT\system32\swxcacls.exe
2007-03-22 22:03:22 40960 --a------ C:\WINNT\system32\swsc.exe
2007-03-22 22:03:22 135168 --a------ C:\WINNT\system32\swreg.exe
2007-03-22 22:03:22 288417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-03-22 22:03:22 53248 --a------ C:\WINNT\system32\Process.exe
2007-03-22 22:03:22 51200 --a------ C:\WINNT\system32\dumphive.exe
2007-03-20 19:56:53 0 d-------- C:\Documents and Settings\Scott Holben\Application Data\WinPatrol<WINPAT~1>
2007-03-20 19:43:17 0 d-------- C:\Program Files\PCPitstop<PCPITS~1>
2007-03-13 20:56:58 0 d-------- C:\Program Files\Lavasoft


-- Find3M Report ---------------------------------------------------------------

2007-04-09 20:30:48 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-04-09 20:29:09 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>
2007-04-09 20:26:57 0 d-------- C:\Program Files\iTunes
2007-04-07 21:47:15 0 d-------- C:\Documents and Settings\Scott Holben\Application Data\Viewpoint<VIEWPO~1>
2007-04-07 21:44:58 0 d-------- C:\Program Files\Viewpoint<VIEWPO~1>
2007-04-04 21:32:48 0 d-------- C:\Program Files\Microsoft.NET<MICROS~1.NET>
2007-04-04 21:28:05 0 d-------- C:\Program Files\Design Science<DESIGN~1>
2007-04-04 21:26:33 0 d-------- C:\Program Files\Java
2007-03-22 00:20:31 0 d---s---- C:\Documents and Settings\Scott Holben\Application Data\Microsoft<MICROS~1>
2007-03-20 20:22:10 0 d-------- C:\Program Files\Common Files\AOL
2007-03-20 20:14:55 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-03-20 19:49:42 0 d--h----- C:\Program Files\InstallShield Installation Information<INSTAL~1>
2007-03-17 06:43:01 292864 --a------ C:\WINNT\system32\winsrv.dll
2007-03-13 20:57:06 0 d-------- C:\Documents and Settings\Scott Holben\Application Data\Lavasoft
2007-03-08 08:36:28 577536 --a------ C:\WINNT\system32\user32.dll
2007-03-08 08:36:28 40960 --a------ C:\WINNT\system32\mf3216.dll
2007-03-08 08:36:28 281600 --a------ C:\WINNT\system32\gdi32.dll
2007-03-08 06:47:48 1843584 --a------ C:\WINNT\system32\win32k.sys
2007-02-05 13:17:02 185344 --a------ C:\WINNT\system32\upnphost.dll
2007-01-19 12:53:04 51056 --a------ C:\WINNT\system32\sirenacm.dll


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp"
"ctfmon.exe"="C:\\WINNT\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\WinPatrol.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-04-13 at 19:00:59 ---------



C:\WINNT\system32\d3d8caps.dat moved successfully.
C:\WINNT\DE187864A381460288231024D4CE4370.TMP moved successfully.
C:\wmplayer.dll unregistered successfully.
C:\wmplayer.dll moved successfully.
C:\WINNT\system32\update06281259.exe moved successfully.
C:\WINNT\system32\update92620748.exe moved successfully.
C:\WINNT\system32\nnnkj.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINNT\system32\byxywtt.dll
C:\WINNT\system32\byxywtt.dll NOT unregistered.
C:\WINNT\system32\byxywtt.dll moved successfully.
File/Folder c:\documents and settings\all users\start menu\programs\startup\MyWebSearch Email Plugin.lnk not found.
c:\winnt\downloaded program files\ATPartners.inf moved successfully.
File/Folder c:\winnt\downloaded program files\f3initialsetup1.0.0.8-2.inf not found.
c:\winnt\system32\in10b6s.dll unregistered successfully.
c:\winnt\system32\in10b6s.dll moved successfully.
c:\winnt\system32\saie321.dll unregistered successfully.
c:\winnt\system32\saie321.dll moved successfully.
LoadLibrary failed for C:\Documents and Settings\Scott Holben\Application Data\tvmknwrd.dll
C:\Documents and Settings\Scott Holben\Application Data\tvmknwrd.dll NOT unregistered.
C:\Documents and Settings\Scott Holben\Application Data\tvmknwrd.dll moved successfully.
C:\WINNT\system32\GoGo9CP.dll unregistered successfully.
C:\WINNT\system32\GoGo9CP.dll moved successfully.
C:\WINNT\system32\vm_d.dll unregistered successfully.
C:\WINNT\system32\vm_d.dll moved successfully.
C:\WINNT\system32\vm_d.exe moved successfully.
File/Folder C:\Program Files\MyWebSearch not found.

Created on 04-13-2007 00:47:17

[tetonbob]

Hello, Holbens -

Quote:

I ran the scan twice before i posted the original thread and so now there is no extra.txt file in C:/Deckard/System Scan. Instead there is one main.txt file and two folders with very long sets of numbers each containing another main.txt file.

While forhockey is analyzing your logs, I'd like you to do this:


Please run Deckard's System Scanner once again, this time using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste this into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

Click on "Check All"

Click Scan!

When finished, it shall produce two logs for you. Post those logs in your next reply.

[Holbens]

I did get two files this time. they are attached below. Hopefully this doesn't affect the scan, but I did reactivate SpywareGuard and WinPatrol before I ran the test. If you need me to disable them and run it again I can.

Deckard's System Scanner v20070328.36
Run by Scott Holben on 2007-04-15 at 19:11:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
31: 2007-04-16 02:11:46 UTC - RP619 - Deckard's System Scanner Restore Point
30: 2007-04-14 23:26:31 UTC - RP618 - System Checkpoint
29: 2007-04-13 06:35:56 UTC - RP617 - System Checkpoint
28: 2007-04-12 06:33:26 UTC - RP616 - Software Distribution Service 2.0
27: 2007-04-11 01:22:14 UTC - RP615 - Software Distribution Service 2.0


-- First Restore Point --
1: 2007-03-09 0436 UTC - RP589 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Scott Holben.exe) ----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:12:33 PM, on 4/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\1XConfig.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\M-Audio\Transit\Install\TUSBInst.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Scott Holben\desktop\dss.exe
C:\PROGRA~1\HIJACK~1\SCOTTH~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://0-site.ebrary.com.nell.boulde.../ebraryRdr.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: