Nasty Persistent Pop-up Hijack log please help

[LynRis]

This is a muli-part pop-up that is very intrusive and slows everything down. I have run Ad-aware, Spoybot (safe mode) and a virus scan, although there some other issues cleaned, this thing won't go away. I will greatly appreciate your expertise in dumping this thing.

Logfile of HijackThis v1.99.1
Scan saved at 6:18:35 PM, on 06/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\users32.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Lyndon\Local Settings\Temp\HijackThis.exe
C:\WINDOWS\system32\qjrkvy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bej...ploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please submit the following file to Jotti File Scan

C:\WINDOWS\system32\adobepnl.dll

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here, at the end of this fix.

---------------------------------------------------------------------------------------------

Have you intentionally installed Noble Poker?

---------------------------------------------------------------------------------------------


Download Ewido Anti-Malware

• Install Ewido Anti-Malware
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.

---------------------------------------------------------------------------------------------


Delete the following Filesif they exist:

C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\runsrv32.exe

---------------------------------------------------------------------------------------------


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click Complete System Scan to begin scanning.
• Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

• "Perform action on all infections"
• Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour.

---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner

1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Please return with logs from:

jotti scan
Ewido
Panda
HJT

[LynRis]

Thank-you for responding. I assume I am suscribed to the the thread because I got an e-mail notification. I will take a run at the fix in about half an hour. You asked about Noble Poker, I did not install it, my son may have but if it is a good idea to ditch it let me know. Is there a trick to it? Again thanks for responding I am anxious to get this fixed.

[tetonbob]

No real trick to it...these programs can be gateways to other malware, and if they are not intentionally installed, we recommend their removal.

Uninstalling them in safe mode can be the best way to do it...we can leave that off till the next round once you're sure you want it removed.

[LynRis]

I am waiting for my chance to get in Jotti for the scan. I have the ewido and clean up loaded and ready. It has been tough because my machine was in tough shape last nite and I had to do all the cleaning again (with spybot,adaware etc) before I could get it to operate the internet and had to run it a few times. Anyway, as soon as I get the Jotti scan in the rest won't take me long.
Regards
Lyndon

[LynRis]

Have got the Jotti submit process going twice with the file C:\WINDOWS\system32\adobepnl.dll
Both times it worked at uploading the file for about five minutes and then flashed to a blank internet page, Cannot Find Server.

I will continue to try but should I maybe move on and do all the other stuff, then try again for the Jotti scan? Like I said I will continue to try the Jotti thing until I hear from you.

Thank-you

[LynRis]

got the Jotti scan, the rest will come shortly
Service load: 0% 100%

File: adobepnl.dll_
Status: INFECTED/MALWARE
MD5 10fd22b01d8b0dde1fb330a80fb0b9d5
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found SpyDldr.G!tr
Kaspersky Anti-Virus Found not-virus:Hoax.Win32.Renos.dm
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

[tetonbob]

LynRis -

How's it going? Still waiting for the rest of the results so we can continue.....

[LynRis]

Hi, sorry I haven't responded. my machine/internet function is so bogged down I can't get any thing sent out (I am on another computer right now, (same internet connection). I got the Ewido scan and log done last night BUT I can't get it sent. I also cannot get the Panda scan done for the same reason. I will continue to try. I could probably get a copy of the Ewido scan log to you from this machine. Do you have any suggestion for "unbogging" my machine/internet function enough to get that Panda scan done?
Thanks

[LynRis]

Here is the Ewido, Panda and Hijack log, you have the Jotti scan in an earlier response. I you are curious as to what changed to "unbog" me; I restarted the machine with the internet cable unhooked, got to the Explorer page, then hooked up the cable. Don't know why it worked, glad it did.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:28:49 PM, 08/06/2006
+ Report-Checksum: 458D538B

+ Scan result:

HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Cleaned with backup
HKLM\SOFTWARE\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Adware.Delfin : Cleaned with backup
HKLM\SOFTWARE\NIX Solutions -> Adware.DailyToolbar : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\PerfectNav\BHO -> Adware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\PerfectNav\BHO\HomePage -> Adware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\PerfectNav\BHO\RedirectURLS -> Adware.KeenValue : Cleaned with backup
HKU\S-1-5-21-2139360463-1964608120-3775675548-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\tm41bgw2.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\tm41bgw2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\tm41bgw2.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\tm41bgw2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\tm41bgw2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Linda\Application Data\Mozilla\Firefox\Profiles\tm41bgw2.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.208:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.214:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.215:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.216:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.217:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.242:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.243:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.244:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.246:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.254:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.263:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.268:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.269:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned with backup
:mozilla.277:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.278:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.280:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.285:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.290:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.302:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.303:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.315:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.316:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.317:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.346:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Estat : Cleaned with backup
:mozilla.355:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.365:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Adviva : Cleaned with backup
:mozilla.369:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.393:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.394:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.395:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.402:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.408:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.414:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.415:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.416:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.417:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.443:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Spylog : Cleaned with backup
:mozilla.444:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Trafic : Cleaned with backup
:mozilla.454:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.455:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.456:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.457:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.458:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.459:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Valuead : Cleaned with backup
:mozilla.466:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.485:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.495:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.499:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.505:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.506:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.515:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.518:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned with backup
:mozilla.540:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.567:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.568:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.571:C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Kmpads : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Samantha\Application Data\Mozilla\Firefox\Profiles\jn1u3uls.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Samantha\Application Data\Mozilla\Firefox\Profiles\jn1u3uls.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Samantha\Application Data\Mozilla\Firefox\Profiles\jn1u3uls.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Samantha\Application Data\Mozilla\Firefox\Profiles\jn1u3uls.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Samantha\Application Data\Mozilla\Firefox\Profiles\jn1u3uls.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Samantha\Application Data\Mozilla\Profiles\default\78ea63co.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Program Files\MaxSpeed -> Adware.SideFind : Cleaned with backup
C:\RECYCLER\S-1-5-21-2139360463-1964608120-3775675548-500\Dc3\Setup.dat/sponsor.exe -> Downloader.Swizzor.ag : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\gkllkcjt.zsj -> Hijacker.Small.js : Cleaned with backup


::Report End

Panda Scan
Incident Status Location

Adware:adware/superspider Not disinfected c:\windows\system32\a.exe
Spyware:spyware/bridge Not disinfected c:\windows\system32\bridge.dll
Adware:adware/admess Not disinfected c:\windows\system32\tcpservice2.exe
Adware:adware/topspyware Not disinfected c:\windows\system32\txfdb32.dll
Adware:adware/delfinmedia Not disinfected c:\keys.ini
Adware:adware/thespyguard Not disinfected c:\windows\bg.gif
Adware:adware/btgrab Not disinfected c:\windows\BTGrab.dll
Adware:adware/transponder Not disinfected c:\windows\dlmax.dll
Spyware:spyware/betterinet Not disinfected c:\windows\susp.exe
Adware:adware/navhelper Not disinfected c:\program files\NavExcel
Adware:adware/winactive Not disinfected Windows Registry
Adware:adware/iedriver Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/alexa-toolbar Not disinfected Windows Registry
Adware:adware/elitebar Not disinfected Windows Registry
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Lyndon\Application Data\Mozilla\Firefox\Profiles\hfol2vza.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Mp3search Not disinfected C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\ci5zdkft.default\cookies.txt[.mp3search.ru/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Nathan\Application Data\Mozilla\Profiles\default\j2ynlllf.slt\cookies.txt[.maxserving.com/]

Logfile of HijackThis v1.99.1
Scan saved at 7:41:23 PM, on 09/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Lyndon\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bej...ploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

[tetonbob]

Before you do anything else, create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Disconnect from the internet. Pull the plug if needed.

Please disable Ewido Security Suite's Guard, as it may hinder the removal of some entries. You can re-enable it after you're clean.

• Open ewido by double-clicking the yellow 'e' icon in the system tray.
• In the 'Your security status' section, toggle the ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
• When you reboot, ewido will prompt you as to whether you would like to "Restart the guard?". Reply "No" and set it to ''inactive'' for the duration of your cleanup.

Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

• Open Windows Defender.
• Click on Tools, General Settings.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

Code:

REGEDIT4

[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM]

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.
---------------------------------------------------------------------------------------------

Clear your Firefox cookies. From the open browser, go toTools>Options>Privacy>Cookies>Clear

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll (file missing)
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following if they exist:

c:\program files\NavExcel
c:\windows\system32\a.exe
c:\windows\system32\bridge.dll
c:\windows\system32\tcpservice2.exe
c:\windows\system32\txfdb32.dll
c:\keys.ini
c:\windows\bg.gif
c:\windows\BTGrab.dll
c:\windows\dlmax.dll
c:\windows\susp.exe

---------------------------------------------------------------------------------------------

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

---------------------------------------------------------------------------------------------

Restart in normal mode

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file. Re-establish an internet connection and post it here.

---------------------------------------------------------------------------------------------


How is your system behaving now, please?

[LynRis]

My machine is bogged down again, I am at another computer, same connection again.
I got everything done on the second set of instructions, DR WEB did not complete it's scan. It stopped 2/3 of the way thru the main scan with the normal Windows message screen, dr WEb has encountered errors and must be shut down, send error message, yes/no etc etc.

I rechecked all the other steps, nothing missed, tried again, same result at the same spot. I ran Ewido and spybot again, tried DR WEb again, same result.
I will try to unbog my machine and send you the Hijacklog and the partial DR Web log (one Item). Any advice?

[tetonbob]

Keep the infected machine disconnected from the internet until we've got it clean. Pull the plug.

Carry any tools to it via USB stick drive or CDR.

What file is it hanging on, can you tell?

Delete that version of Dr. Web. Dr.Web has no built-in update function, and has new updates built in to the downloadable file twice an hour. We'll address that in a bit if I want to use it again. I need to see a new HJT log.

I also need you to run these tools as well:

* Download WinPFind http://www.bleepingcomputer.com/files/winpfind.php
o Double click on WinPFind and unzip it to your Desktop.
o Don't do anything with it yet!

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Double click WinPFind.exe

* Click 'Start Scan'
* It will scan the entire system, so please be patient!
* Once the scan is complete:
1. Go to the WinPFind folder
2. Locate WinPFind.txt
3. Copy those results in the next post!

So, please return with a new HJT log, WinPFind's log, the rapport.txt from SmitfraudFix, and any info from Dr. Web you may have been able to glean.

[LynRis]

I cannot tell what file it hangs up on, but it is at about the same place on the guage.

[LynRis]

Will it be safe to transfer the hijack log and the SmitFraud logs from the infected machine by USB memory key. I don't want to infect this laptop

[greyknight17]

It should be safe...if you are worried, you can scan the files on the USB flash drive (using the virus scanner on the good computer) before transferring them over to the computer.

[LynRis]

You said be patient with WinPFind, three hours seems like a lot. After clicking scan, an hourglass appeared and that is all, task manager says it's running so I've let it go but I am loosing faith in it.

[LynRis]

Hopefully I will get those logs to you tonight or tomorrow morning

[LynRis]

I have sent the logs as attachments as well as pasted text. Which do you prefer?



Dr Web
ZOOM___1.SMK;C:\Documents and Settings\Lyndon\DoctorWeb\Quarantine;Modification of Win95.Demo.8192;Moved.;
Iam not sure if this actually moved since the scan stalled

Logfile of HijackThis v1.99.1
Scan saved at 4:01:14 PM, on 10/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/produc...ed/mvt/mvt.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bej...ploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

SmitFraudFix v2.58

Scan done at 18:42:25.50, 10/06/2006
Run from C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\infected.gif FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\star.gif FOUND !
C:\WINDOWS\ZServ.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Lyndon\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Lyndon\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 28/12/2004 7:49:12 PM 535920640 C:\WINDOWS\MEMORY.DMP
PTech 28/12/2004 7:49:12 PM 535920640 C:\WINDOWS\MEMORY.DMP
aurora.exe 28/12/2004 7:49:12 PM 535920640 C:\WINDOWS\MEMORY.DMP
abetterinternet.com 28/12/2004 7:49:12 PM 535920640 C:\WINDOWS\MEMORY.DMP
PEC2 05/12/2005 10:57:38 AM 211997 C:\WINDOWS\Noble Poker setup.exe
PECompact2 05/12/2005 10:57:38 AM 211997 C:\WINDOWS\Noble Poker setup.exe

Checking %System% folder...
PEC2 03/09/2002 10:30:40 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 17/05/2006 11:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 03/05/2006 10:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 03/05/2006 10:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04/08/2004 1:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04/08/2004 1:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 16/05/2002 4:12:30 PM 117248 C:\WINDOWS\SYSTEM32\SKCL.dll
UPX! 27/04/2006 5:49:30 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 09/01/2006 10:36:04 AM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 09/01/2006 10:36:06 AM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
UPX! 02/04/2004 6:17:30 PM 22782 C:\WINDOWS\SYSTEM32\UninstXviDDec.exe
winsync 03/09/2002 11:10:48 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 03/08/2004 11:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/06/2006 11:05:32 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
12/06/2011 646 PM HS 1537 C:\WINDOWS\page files\maxmeg.sys
10/06/2006 11:05:22 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
10/06/2006 11:05:56 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
10/06/2006 11:05:32 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
10/06/2006 11:05:46 PM H 49152 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
10/06/2006 11:05:40 PM H 942080 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
10/06/2006 400 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
06/06/2006 10:43:20 AM S 558 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
06/06/2006 10:43:20 AM S 144 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
15/04/2006 2:32:14 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\dae7629f-24f6-40ec-a3d2-9ec232afc1f1
15/04/2006 2:32:14 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
10/06/2006 11:09:06 PM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
10/06/2006 11:04:46 PM H 6 C:\WINDOWS\Tasks\SA.DAT
08/06/2006 10:32:18 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\HISTCME6\desktop.ini
08/06/2006 10:32:18 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\U9STCRCN\desktop.ini
08/06/2006 10:32:18 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\W5QB4PIJ\desktop.ini
08/06/2006 10:32:18 PM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XMWRA8U7\desktop.ini

Checking for CPL files...
Microsoft Corporation 04/08/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Sonic Solutions 11/08/2005 2:01:00 AM 1134592 C:\WINDOWS\SYSTEM32\CMDVDPak.cpl
Creative Technology Ltd. 30/03/2001 1:00:00 AM 230912 C:\WINDOWS\SYSTEM32\CTDetect.cpl
Creative Technology Ltd. 21/02/2002 212992 C:\WINDOWS\SYSTEM32\CTDevCtrl.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
InstallShield Software Corporation27/07/2004 5:50:48 PM 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 10/11/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 03/09/2002 10:40:02 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 03/09/2002 10:47:04 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel(R) Corporation 11/03/2003 3:15:56 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
Apple Computer, Inc. 23/09/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 03/09/2002 1138 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04/08/2004 1:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 03/09/2002 10:40:02 AM 187904 C:\WINDOWS\SYSTEM32\DLLCACHE\main.cpl
Microsoft Corporation 03/09/2002 10:47:04 AM 35840 C:\WINDOWS\SYSTEM32\DLLCACHE\ncpa.cpl
Microsoft Corporation 03/09/2002 1138 AM 28160 C:\WINDOWS\SYSTEM32\DLLCACHE\telephon.cpl
Microsoft Corporation 26/05/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
21/04/2006 11:14:10 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
07/09/2004 9:15:46 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
09/05/2005 9:11:44 AM 1808 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
09/05/2005 9:09:58 AM 798 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
07/09/2004 9:04:48 PM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
28/05/2006 3:37:54 PM 6 C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
11/08/2005 9:26:18 PM 2436 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
03/09/2002 8:00:00 AM HS 84 C:\Documents and Settings\Lyndon\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
03/09/2002 7:50:46 AM HS 62 C:\Documents and Settings\Lyndon\Application Data\DESKTOP.INI
15/02/2004 1:02:42 PM 0 C:\Documents and Settings\Lyndon\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PowerISOShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\RXDCExtSvr
{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} = C:\Program Files\Roxio\Easy Media Creator 8\Virtual Drive\DC_ShellExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PowerISOShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\RXDCExtSvr
{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C} = C:\Program Files\Roxio\Easy Media Creator 8\Virtual Drive\DC_ShellExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Documents and Settings\Lyndon\Desktop\Spyware stuff\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Program Files\PowerISO\PowerISOShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B723B1B8-9788-4684-ADA7-D1DB02E1D516}
ButtonText = Noble Poker : C:\Program Files\Noble Poker\casino.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{46AE04C0-BCFA-4728-90E7-00EB4A8B3863} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{E5AE512C-3349-6CA5-B338-0D1559A6E27B} = MEOWSIXTH : C:\PROGRA~1\USERWA~1\TonsWeb.dll
{46AE04C0-BCFA-4728-90E7-00EB4A8B3863} = :
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
MCUpdateExe C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
Logitech Utility Logi_MwX.Exe
HP Software Update "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DVDSentry C:\WINDOWS\System32\DSentry.exe
DigidesignMMERefresh C:\Program Files\Digidesign\Drivers\MMERefresh.exe
diagent "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
BCMSMMSG BCMSMMSG.exe
WinampAgent C:\Program Files\Winamp\winampa.exe
OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe
RoxioDragToDisc "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"

RoxWatchTray "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
Windows Defender "C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
MoneyAgent "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
Creative Detector C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command
inimapping 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 2


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun _
NoCDBurning 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/06/2006 4:16:30 AM

[tetonbob]

Posting the logs in the clear is preferred, thanks, as long as they fit.

Ok....this should help. Again, try to keep the infected machine offline, and carry tools to and reports from the machine.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

---------------------------------------------------------------------------------------------

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

---------------------------------------------------------------------------------------------

Clean out your Temporary Internet files.

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!

---------------------------------------------------------------------------------------------


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

• "Security Info"
• "Warning Message"
• "Security Desktop"
• "Warning Homepage"
• "Desktop Uninstall" or something similar

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

---------------------------------------------------------------------------------------------

Reboot in Normal Mode.

---------------------------------------------------------------------------------------------

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------

Download fl.zip
Extract the contents to a new folder on your Desktop.
Within the folder, locate & double-click fl.bat.
It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

---------------------------------------------------------------------------------------------

Run a new HijackThis scan. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Then post the following logs in your next reply...

C:\rapport.txt (log from the tool)
findlop.txt
Hijackthis log