IE closing, Spysheriff reinstalling

[rathofman]

Glad I found this place, hope someone can help.

Basically, while I am surfing and clicking on links or whatever, every now and then I will hear what sounds like many rapid clicks of the mouse. Sometimes it just makes the noise and nothing, other times it will close all active IE windows. Also, this may or may not have to do with the fact that the Spysheriff program or whatever its called seems to keep coming up on my scans, even after removal. I have removes it several times but it keeps showing up in ad-aware.

If it helps at all, there are several programs that I turned off from my startup menu in msconfig (as directed) that I did reactivate for my scan. Such programs like, quicktime, real player, steam, and NortonGhost.

Thanks.

My log follows:

Logfile of HijackThis v1.99.1
Scan saved at 2:47:00 AM, on 5/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: USB Manager.lnk = C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://12.47.101.191/central/0203010...verContent.cab
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...ridge-c356.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex...oadcontrol.cab
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://198.99.241.129/ePlayer/V3_2_0_0/ACNePlayer.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F992FDC0-DAA7-4774-B01C-E9DFF19FE0FE} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/ev...203/MILive.cab
O20 - Winlogon Notify: gdiwxp - gdiwxp.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Glaswegian]

Hi rathofman and welcome to TSF.

Thanks for the info on SpySheriff - very helpful.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.


Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.


If there is anything you don't understand, please ask BEFORE proceeding with the fixes.


Please ensure that you follow the instructions in the order I have them listed.



Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.


Download Ewido Anti-Malware

• Install Ewido Anti-Malware
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
When you have finished updating, EXIT Ewido.


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop. Do not use it yet!



Reboot
Reboot your system in Safe Mode.

• Restart the computer. The computer begins processing a set of instructions known as BIOS.
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
• Instead of Windows loading as normal, a menu should appear
• Use the arrow key to highlight Safe Mode and press Enter.

Run SmitfraudFix
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.



HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any)

R3 - Default URLSearchHook is missing
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/We...ridge-c356.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://198.99.241.129/ePlayer/V3_2_0_0/ACNePlayer.cab
O16 - DPF: {F992FDC0-DAA7-4774-B01C-E9DFF19FE0FE} (Invoke Solutions MILive Participant Control(MR)) - http://online.invokesolutions.com/ev...203/MILive.cab
O20 - Winlogon Notify: gdiwxp - gdiwxp.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.




Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users
• Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.


Go to Control Panel click Display > Desktop > Customize Desktop > Web > Now, Uncheck Everything and delete if present:
• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.


Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.



Run Ewido
Run Ewido with it's updated definitions (...it's important that all windows must be closed)

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with Ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If Ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save Report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

NOTE: Ewido scan will require at least an hour.



Reboot
Reboot your system in Normal Mode.



SmitfraudFix - Additional Items
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.



Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner.

1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



Logs required
rapport.txt
Ewido Log
Panda Log
HijackThis Log

Please also let me know how your system is performing now and if you have any specific problems.

[rathofman]

Ok, I have done all you said except for the last thing where there is a problem. When I go to run the Panda active scan, I cannot start it. I get the popup, I put in my information to check now, but I cannot install the ActiveX control. Usually with IE the yellow bar will come down from under your toolbars and tell you to click it if you want to install. Well, I hear the noise it makes, but I see no yellow bar to click and therefore cannot install in order to scan. What should I do?

[Glaswegian]

Hi

Try this

From within Internet Explorer click on the Tools menu and then click on Internet Options.

• Select the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Select Custom Level .
    • Change 'Download unsigned ActiveX controls' to Prompt
    • Click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Select OK to exit the Internet Properties page.

If that doesn't work, post the logs you have and we'll take it from there.

[rathofman]

OK, got it all to work - here are my logs:

Rapport.txt:

SmitFraudFix v2.45

Scan done at 15:11:29.64, Sun 05/21/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End



Ewido :


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:12:18 PM, 5/21/2006
+ Report-Checksum: 6DE12947

+ Scan result:

HKLM\SOFTWARE\Preview AdService -> Adware.BlazeFind : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Findwhat : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Linkbuddies : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.140:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.143:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.155:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.156:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.157:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.158:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.159:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.160:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.161:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.164:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.169:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.174:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.175:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.176:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.189:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.193:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ut7oa8yx.ProfileName\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\System Volume Information\_restore{87925209-405C-42A6-8FEE-9CF10CC35238}\RP1137\A0192059.dll -> Logger.Goldun.hk : Cleaned with backup
C:\WINNT\Downloaded Program Files\OTXMedia.dll -> Adware.OTX : Cleaned with backup


::Report End





Panda (I did not fix anything yet, I believe I was not supposed to):


Incident Status Location

Adware:adware/xupiter Not disinfected C:\Documents and Settings\Administrator\Favorites\Free Stuff
Spyware:spyware/searchcentrix Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/powerscan Not disinfected Windows Registry
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\New Folder\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\NPROTECT\00097566.exe
Security Risk:HackTool/Gendel.A Not disinfected C:\WINDOWS\SYSTEM\setup\gendel32.ex_
Virus:Trj/Goldun.HY Disinfected C:\WINNT\cpu.exe
Virus:Trj/PasswordStealer.A Disinfected C:\WINNT\system32\gdiw2k.sys
Adware:Adware/Lop Not disinfected X:\Jeff\Misc\bittorrent-3.4.1.exe[minime.exe]
Potentially unwanted tool:Application/Processor Not disinfected X:\Jeff\SmitfraudFix.zip[SmitfraudFix/Process.exe]


So that is everything for now...do you need anything else?

[rathofman]

Update:

As I have been waiting for your response, IE is still closing down automatically without warning

[Glaswegian]

Hi again

Please also post a fresh HijackThis Log.

[rathofman]

Ah, my fault! I ran the log and saved it but never posted it! Ok here is the lastest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:18:25 PM, on 5/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINNT\System32\rsvp.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: USB Manager.lnk = C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://12.47.101.191/central/0203010...verContent.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex...oadcontrol.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[Glaswegian]

Hi again

Looking better now – how is your system running?

Follow these instructions for IE

Go to Control Panel click Display > Desktop > Customize Desktop > Web > Now, Uncheck Everything and delete if present:
• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall"

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.



Open Hijack This and click on Scan. Check the following entries

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

Please remember to close all other windows, including browsers then click Fix checked.



File Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Documents and Settings\Administrator\Favorites\Free Stuff <- - Delete only the contents of this folder
C:\WINDOWS\SYSTEM\setup\gendel32.ex_

Panda showed up a Bittorrent file as infected - is it on an external drive?
Adware:Adware/Lop Not disinfected X:\Jeff\Misc\bittorrent-3.4.1.exe[minime.exe]



Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

• Extended

Scan Options:

• Scan Archives
• Scan Mail Bases

Click OK

Now under select a target to scan: Select My Computer

• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post back with the Kaspersky Log and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems.

[rathofman]

Newest Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:28:23 PM, on 5/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\AIM95\aim.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: USB Manager.lnk = C:\Program Files\Belkin\Belkin Wireless USB Adapter Manager\WlanMonitor.exe
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://12.47.101.191/central/0203010...verContent.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/p.../PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-30.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/s...vest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - http://activex.microsoft.com/activex...oadcontrol.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINNT\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GBPoll - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Kaspersky Scan Log:


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, May 24, 2006 5:24:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 24/05/2006
Kaspersky Anti-Virus database records: 196074
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
X:\

Scan Statistics:
Total number of scanned objects: 102246
Number of viruses found: 34
Number of infected objects: 101
Number of suspicious objects: 5
Duration of the scan process: 01:08:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloadAcceleratorPlus.zip/RestartApp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloadAcceleratorPlus.zip ZIP: suspicious - 1 skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\001F5A1D Infected: not-a-virus:AdWare.Win32.QLF.a skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0050090E.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\009F730D.class Infected: Trojan.Java.ClassLoader.z skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0246168E.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\04EB0B31.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\05286DAD.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\054378D0.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\08FF6A51.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\10CE5522.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\114617BC.class Infected: Trojan.Java.ClassLoader.ak skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1296649D.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\137F184B.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\175D0659.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\17840AD1.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\18413E95 Infected: Trojan-Downloader.JS.IstBar.j skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\18DC5359.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19BA2F39.anr Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19BD5935.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19BD5935.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19BD5935.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19BD5935.jar ZIP: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\19BD5935.jar CryptFF: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1D8A20FB.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1D8E4AF8.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1D8E4AF8.exe Infected: Trojan-Downloader.Win32.Small.bkg skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\215C0102.anr Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\215C0102.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\21D41FF3 Infected: not-a-virus:Downloader.Win32.OTXloader skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\21F65E4C.class Infected: Trojan.Java.Femad skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\27924B41.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2795753E.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\27BC584F Infected: not-a-virus:Downloader.Win32.OTXloader skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\30532CA1.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\33AE2827.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\34AD7B3A Infected: Trojan-Downloader.JS.IstBar.j skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\376A1398.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3BAD7A2E Infected: not-a-virus:AdWare.Win32.WinAD.aa skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\40A31B83.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\41441830.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\43362217.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\441517FB.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\442A61EE.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\45660C54.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\45660C54.htm Infected: Trojan-Downloader.HTML.Agent.ap skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\45DD6B71.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\47E26949.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\48C0124E.dll Infected: Trojan-Spy.Win32.Goldun.hk skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4AD110D8.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\507A0CC6.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\508160BF.class Infected: Trojan-Dropper.Java.Small.c skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5134742C.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\51371E28.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\513A4825.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\51511505 Infected: Trojan-Downloader.Win32.Dyfuca.ei skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\55E92B6C.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\56CD7402.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\592C470B.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\593A4785.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\59850D32.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\598B1840.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\599C3319.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5A5F574F.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5AAF2C49.anr Infected: Trojan-Downloader.Win32.Ani.c skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5AAF2C49.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5BE657FA.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5D130A72.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5D2E5A55.wmf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5D652418.class Infected: Trojan.Java.ClassLoader.h skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5EE84591.emf Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\60313B3C.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6069368B.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\66BD1B7D Infected: not-a-virus:AdWare.Win32.WinAD.bg skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\68385B21.htm Infected: Trojan-Downloader.HTML.Agent.ap skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\68F97839.class Infected: Trojan-Dropper.Java.Small.c skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6DE64A27.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6DE64A27.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6E864763.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6F90080D.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\706C542C.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\71AC7F1C Infected: not-a-virus:Downloader.Win32.OTXloader skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\71AF2918 Infected: not-a-virus:AdWare.Win32.WinAD.ab skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\727B148D Infected: Trojan-Downloader.Win32.IstBar.nl skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\77F42B84.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\784614C4.class Infected: Trojan.Java.ClassLoader.d skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\79E359CE.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7FD743C2.htm Infected: Exploit.HTML.Mht skipped
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\7FF4600F Infected: Trojan-Spy.Win32.Goldun.dc skipped
C:\RECYCLER\NPROTECT\00097655.sys Infected: Trojan-Spy.Win32.Haxspy.t skipped
C:\System Volume Information\_restore{87925209-405C-42A6-8FEE-9CF10CC35238}\RP1120\A0182497.EXE/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{87925209-405C-42A6-8FEE-9CF10CC35238}\RP1120\A0182497.EXE NSIS: infected - 1 skipped
C:\System Volume Information\_restore{87925209-405C-42A6-8FEE-9CF10CC35238}\RP1160\A0200313.EXE/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{87925209-405C-42A6-8FEE-9CF10CC35238}\RP1160\A0200313.EXE/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\System Volume Information\_restore{87925209-405C-42A6-8FEE-9CF10CC35238}\RP1160\A0200313.EXE NSIS: infected - 2 skipped
X:\Jeff\Misc\BitTorrent-4.0.4.exe/stream/data0003 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
X:\Jeff\Misc\BitTorrent-4.0.4.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
X:\Jeff\Misc\BitTorrent-4.0.4.exe NSIS: infected - 2 skipped
X:\Jeff\Misc\excursion9.5.install.exe/mIRC.ExCurSioN.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 skipped
X:\Jeff\Misc\excursion9.5.install.exe ViseMan: infected - 1 skipped
X:\Jeff\Misc\excursion9.5.install.exe ViseMan: infected - 1 skipped
X:\Jeff\Misc\hl1110.exe/WISE0025.BIN Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped
X:\Jeff\Misc\hl1110.exe WiseSFX: infected - 1 skipped
X:\RECYCLER\S-1-5-21-847386435-1281075794-1619295386-500\Dx1.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Swizzor.k skipped
X:\RECYCLER\S-1-5-21-847386435-1281075794-1619295386-500\Dx1.exe/stream Infected: Trojan-Downloader.Win32.Swizzor.k skipped
X:\RECYCLER\S-1-5-21-847386435-1281075794-1619295386-500\Dx1.exe NSIS: infected - 2 skipped

Scan process completed.




Computer is running fine, but the main reason I posted here is because my IE was shutting down. That was still happening before I did the most recent tasks, and I do not know if it still is now (I am trying to stay away from the internet a bit while I try and fix things)


You have told me to "Go to Control Panel click Display > Desktop > Customize Desktop > Web > Now, Uncheck Everything and delete if present: " twice now, but both times nothing was in there anyways.

I deleted the files you told me, but one as just my favorites...I deleted them, but was there a problem in there? Can I re-bookmark those sites?

In the Kaspersky scan everything said "skipped" so I do not think it actually cleaned everything. I also saw a bunch of stuff having to do with programs I deleted a LOOOONG time ago...that and there was a bunch of Norton System works stuff.

[Glaswegian]

Hi again

Apologies for asking you to do the same thing twice – advanced senility on my part.

You can bookmark sites again – although Panda wasn’t saying much about the contents, I felt it was better safe than sorry.

Please empty your Recycle Bin.

Clear out Norton's Quarantine folder. If you're unsure on how to do it, you can use Symantec's guide.


Please use IE for a while and let me know if it is still shutting down. Your system appears clean but I need to be sure. Is IE the only problem – nothing else ‘weird’ happening?

[rathofman]

Well the computer runs generally fine and is looking good, thanks for all your help on that. However, IE still closes ranomly for no reason. Sometimes I open up the browser window click one thing and then it closes...other times I can go on for long periods of time before it shuts down.

[greyknight17]

Do you still hear those rapid clicks now? Do you have a popup blocker installed?

Let's see if any system files are corrupted or missing.

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

[rathofman]

Yes, I still hear those rapid clicks...sometimes it just rapidly clicks and nothing...other times it rapid clicks and then closes all browsers. I have SP2 which has a popup blocker, but the little bar that comes up under the toolbars doesnt show anymore (like when I want to install activeX controls, it does not prompt me to "click here" to install. I also have google toolbar popup blocker, but the clicks and the IE shutting down happens whether it is installed or not.

I will go ahead and do taht scan now.

[greyknight17]

Take a look here. You see in the settings there is an option to uncheck for the sounds. Try unchecking that and hit OK. Close IE and then open it back up again. See if you still get the clicks now.

[rathofman]

Ok so this leads me to some other interesting problems...Under Tools in IE:

I have the first option, Mail and News...below that, it is blank, as in something should be there but there is no text displayed - and there is an arrow for a submenu, but nothing is in the submenu either (this is where the popup blocker settings should be). Also, under where the popup blocker should be, there is another simple blank space where "manage add ons" should be (according to the picture on the link you gave me) . Everything else is on the menu that should be.

So basically, I cannot even get to the settings for the popup blocker.

[greyknight17]

Was SFC scan able to find anything?

Try this also:

Quote:

From the Start menu, select Search, select All Files and Folders.
Select More Advanced Options and place a checkmark beside Search Hidden Files and Folders option.
Ensure that Search System Folders and Search Subfolders are also checked.
In the All or Part of the File Name box, type ie.inf
In the Look In drop-down menu, select C: or the letter of the hard drive that contains the Windows folder.
Click the Search button.
In the search results pane, find the ie.inf file located in Windows\Inf folder.
Right click the ie.inf file and click Install on the context menu.
Reboot the computer when the file copy process is complete.

See if the menus under Tools in IE are back now.

[rathofman]

The scan at the start wanted my CD so I put it in and it just ran. It did not say anything otherwise.

As for the .inf file - i found the right one (out of three) but when I went to install it, it asked for the Service Pack 2 CD - I do not have a SP2 cd...I upgraded online from SP1.

What now?

[greyknight17]

You might have to slipstream XP SP2 in order to get SFC to recover those files. Take a look here for steps on how to do this.

[rathofman]

Just a note here - nothing else was working, So I went ahead and tried downloading the IE 7 beta version and, once installed, all the problems were fixed. This thread can now be closed.

Thank you everyone for your help, cleaned my computer up some, and the problem got fixed eventually anyways. Thanks!