Log - Winanti Spywear popups

[miamifan1354]

Actually, there is a few things.. Computer has been running real slow.. got it actually going by running defender, adaware, smitfraud and cwshred, but I still get a the winanti popup and it's not 100% fast. Did a defrag and all the stuff it said to do before posting a log and turned off restore. Also, I don't know if this is related, but the screen keeps going black and chaning to 8bit color mode. It's an onboard monitor hookup, no vid card. NE way.. here's the log..

Logfile of HijackThis v1.99.1
Scan saved at 8:41:58 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1154212808\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\DOCUME~1\Willy\LOCALS~1\Temp\200683132429_mcinfo.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\program files\mailskinner\mailskinner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Willy\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,SKEYS /I
O2 - BHO: (no name) - {533F8AB8-2A41-0BA1-7C76-6A2D82F3F1FE} - C:\WINDOWS\system32\wwga.dll (file missing)
O2 - BHO: (no name) - {88863B88-415D-F26B-2FA3-F5DFFB68B46D} - C:\WINDOWS\System32\opgmjwtw.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AAF45F0C-F6F7-894E-918B-B010421B5BF0} - C:\WINDOWS\system32\prh.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [xvuiyrzlt] c:\windows\system32\xvuiyrzlt.exe xvuiyrzlt
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [0dd90983.exe] C:\WINDOWS\system32\0dd90983.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154212808\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Willy\LOCALS~1\Temp\200683132429_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Pti] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [fwqz] C:\PROGRA~1\COMMON~1\fwqz\fwqzm.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01BE5BD7-B2DD-48B3-A759-59265A91E787} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1064_XP.cab
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1063_XP.cab
O16 - DPF: {12B574CE-A702-E7AD-358C-597D3BCEA9FA} (IEplugin Class) - http://www.japanese-porns.com/traffic/IE_plugin.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binaries/IA/svcsysnet32_EN_XP.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134146294484
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {8B3B8135-9DAA-40E7-8941-962795F9C1CB} - http://scripts.downloadv3.com/binaries/IA/syswbsvc32_EN_XP.cab
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1068_XP.cab
O16 - DPF: {A1C392A2-B274-46DB-89BE-1FBD476B9C93} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1065_XP.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binaries/IA/sysinetsvc32_EN_XP.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1058_XP.cab
O16 - DPF: {E114CD5B-17CE-4807-890E-7B1EDF9F2E5E} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1066_XP.cab
O16 - DPF: {E24E8472-89B7-479F-8AD8-BBD7206A6A02} - http://scripts.downloadv3.com/binaries/EGDAccess/EGDACCESS_1067_XP.cab
O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1062_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[miamifan1354]

Getting a few more popups other than winantispyware too. Something about winning a ps3, Windows Spy Doctor and $300000.

[miamifan1354]

Money popup is static.egwn.net

[sUBs]

Let's do this first..




Download and unzip - bfu.zip
Run the program and click the Web button located on the top right corner

Copy/Paste this url into the address bar of the Download script window:

http://metallica.geekstogo.com/EGDACCESS.bfu


Execute the script by clicking the Execute button. Post a new hijackthis log when finished.


If you have any questions about the use of BFU please click here


* * * * * *


Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)

1. Select Drive C: & click the 'OK' button
2. Select the following options:
   • Temporary Internet Files
   • Recycle Bin
   • Temporary Files
3. Click the 'OK' button

* * * * * *


* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,SKEYS /I
O2 - BHO: (no name) - {533F8AB8-2A41-0BA1-7C76-6A2D82F3F1FE} - C:\WINDOWS\system32\wwga.dll (file missing)
O2 - BHO: (no name) - {88863B88-415D-F26B-2FA3-F5DFFB68B46D} - C:\WINDOWS\System32\opgmjwtw.dll (file missing)
O2 - BHO: (no name) - {AAF45F0C-F6F7-894E-918B-B010421B5BF0} - C:\WINDOWS\system32\prh.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [xvuiyrzlt] c:\windows\system32\xvuiyrzlt.exe xvuiyrzlt
O4 - HKLM\..\Run: [0dd90983.exe] C:\WINDOWS\system32\0dd90983.exe
O4 - HKCU\..\Run: [Pti] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [fwqz] C:\PROGRA~1\COMMON~1\fwqz\fwqzm.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {01BE5BD7-B2DD-48B3-A759-59265A91E787} - http://akamai.downloadv3.com/binarie...SS_1064_XP.cab
O16 - DPF: {07C9CFC7-DE33-4A0C-9FFB-CDFBA843B157} - http://akamai.downloadv3.com/binarie...SS_1063_XP.cab
O16 - DPF: {12B574CE-A702-E7AD-358C-597D3BCEA9FA} (IEplugin Class) - http://www.japanese-porns.com/traffic/IE_plugin.cab
O16 - DPF: {31DDC1FD-CEA3-4837-A6DC-87E67015ADC9} - http://akamai.downloadv3.com/binarie...et32_EN_XP.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binarie...hv32_EN_XP.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {8B3B8135-9DAA-40E7-8941-962795F9C1CB} - http://scripts.downloadv3.com/binari...vc32_EN_XP.cab
O16 - DPF: {95460ABD-946A-46FF-9F56-268718323EEE} - http://scripts.downloadv3.com/binari...SS_1068_XP.cab
O16 - DPF: {A1C392A2-B274-46DB-89BE-1FBD476B9C93} - http://scripts.downloadv3.com/binari...SS_1065_XP.cab
O16 - DPF: {B2B0AEDF-7CDF-4792-BB67-7654AD1E1B13} - http://scripts.downloadv3.com/binari...vc32_EN_XP.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binarie...SS_1058_XP.cab
O16 - DPF: {E114CD5B-17CE-4807-890E-7B1EDF9F2E5E} - http://scripts.downloadv3.com/binari...SS_1066_XP.cab
O16 - DPF: {E24E8472-89B7-479F-8AD8-BBD7206A6A02} - http://scripts.downloadv3.com/binari...SS_1067_XP.cab
O16 - DPF: {EF4DCD99-D26B-44A4-BA77-CFDCC97E7291} - http://akamai.downloadv3.com/binarie...SS_1062_XP.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binarie...lv32_EN_XP.cab


* * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan



* * * * * *


Download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log





* * * * * *


1. Download this file -

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include the following logs:

1. HiJackThis
2. DrWeb
3. Combofix
4. Blacklight
5. Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[miamifan1354]

Dr Web Log


setup.exe;C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP4F.tmp\as;Probably BINARYRES;Incurable.Moved.;
setup.exe;C:\Documents and Settings\Administrator\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspa;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP4F.tmp\aspapp;Probably BINARYRES;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASPE1.tmp\aspapp;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\CCU_SUITE_1.0.48.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
config.000;C:\Documents and Settings\All Users\Application Data\AOL Downloads\ssc_suite_installer_1.10.7.1;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.2.2;Probably BACKDOOR.Trojan;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Willy\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Willy\Desktop\SmitfraudFix\SmitfraudFix;Trojan.Shutdown;Deleted.;
setup.exe;C:\Documents and Settings\Willy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ASP4F.tmp\aspapp;Probably BINARYRES;Incurable.Moved.;
setup.exe;C:\Documents and Settings\Willy\Local Settings\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\updates\aspapp;Probably BACKDOOR.Trojan;Incurable.Moved.;
config.000;C:\Program Files\AOL\Installers\AOL Safety & Security Center 1.0;Probably BACKDOOR.Trojan;Incurable.Moved.;
setup.exe;C:\Program Files\AOL\Installers\ASP 2.0;Probably BACKDOOR.Trojan;Incurable.Moved.;
MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Incurable.Moved.;
setup.exe;C:\Program Files\Common Files\AOL\Backup\ACS\Current\Suite;Probably BACKDOOR.Trojan;Incurable.Moved.;
GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;
IE_plugin.dll;C:\WINDOWS\Downloaded Program Files;Probably DLOADER.Trojan;Incurable.Moved.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.13;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.14;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.15;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.16;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.17;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.18;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.19;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.20;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.21;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.22;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.23;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.24;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.25;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.26;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.27;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.28;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.29;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.30;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.31;Trojan.DownLoader.based;Deleted.;
gdnUS2218.exe;C:\WINDOWS\Downloaded Program Files\CONFLICT.32;Trojan.DownLoader.based;Deleted.;
Iftvmk38wbr.dll;C:\WINDOWS\SYSTEM32;Adware.InstaFinder;Incurable.Moved.;

[miamifan1354]

New HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 11:23:32 AM, on 8/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\AOL\1154212808\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\windows\system32\urtlic.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Willy\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154212808\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [urtlic] c:\windows\system32\urtlic.exe urtlic
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Willy\LOCALS~1\Temp\200683132429_mcinfo.exe /insfin
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134146294484
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[miamifan1354]

Can't get the online scan to work. I click it, but nothing happens, moving to blacklight

[miamifan1354]

Blacklight Log

08/05/06 11:30:38 [Info]: BlackLight Engine 1.0.42 initialized
08/05/06 11:30:38 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/05/06 11:30:38 [Note]: 7019 4
08/05/06 11:30:38 [Note]: 7005 0
08/05/06 11:30:39 [Note]: 7006 0
08/05/06 11:30:39 [Note]: 7011 468
08/05/06 11:30:39 [Note]: 7026 0
08/05/06 11:30:40 [Note]: 7026 0
08/05/06 11:31:01 [Note]: FSRAW library version 1.7.1019

[miamifan1354]

Combo Fix Log

Start Time= 06-08-05 12:16:54.67
Running from: C:\DOCUME~1\Willy\LOCALS~1\Temp\

((((((((((((((((((((((((((((((( Files Created from 2006-07-05 to 2006-08-05 ))))))))))))))))))))))))))))))))))


2006-08-01 16:49 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-01 16:49 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-01 16:49 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-29 19:02 255,488 C:\WINDOWS\system32\urtlic.exe
2006-07-29 18:45 173,184 C:\WINDOWS\system32\ygpss.scr
2006-07-21 00:26 65,536 C:\WINDOWS\wanmpsvc.exe
2006-07-21 00:26 24,659 C:\WINDOWS\system32\aolddial.dll
2006-07-20 23:42 91,904 C:\WINDOWS\system32\S32EVNT1.DLL
2006-07-20 22:21 854,528 C:\WINDOWS\system32\Ltwvc12n.dll
2006-07-20 22:21 78,336 C:\WINDOWS\system32\LFFAX12n.DLL
2006-07-20 22:21 43,008 C:\WINDOWS\system32\lfgif12n.dll
2006-07-20 22:21 41,472 C:\WINDOWS\system32\LTTWN12n.DLL
2006-07-20 22:21 406,528 C:\WINDOWS\system32\LTKRN12n.DLL
2006-07-20 22:21 314,880 C:\WINDOWS\system32\LFCMP12n.DLL
2006-07-20 22:21 278,528 C:\WINDOWS\system32\LTDIS12n.DLL
2006-07-20 22:21 25,600 C:\WINDOWS\system32\lfavi12n.dll
2006-07-20 22:21 227,840 C:\WINDOWS\system32\LTEFX12n.DLL
2006-07-20 22:21 166,400 C:\WINDOWS\system32\LTIMG12n.DLL
2006-07-20 22:21 155,648 C:\WINDOWS\system32\LFTIF12n.DLL
2006-07-20 22:21 122,368 C:\WINDOWS\system32\LTFIL12n.DLL
2006-07-20 22:21 121,856 C:\WINDOWS\system32\lfmpg12n.dll
2006-07-20 22:20 53,248 C:\WINDOWS\system32\SONYHCY.DLL
2006-07-20 21:47 90,112 C:\WINDOWS\Updreg.EXE
2006-07-20 21:47 84,992 C:\WINDOWS\system32\SFCVRT32.DLL
2006-07-20 21:47 82,432 C:\WINDOWS\system32\CTWFLT32.DLL
2006-07-20 21:47 53,552 C:\WINDOWS\CTCCW.DLL
2006-07-20 21:47 40,960 C:\WINDOWS\system32\AC3API.DLL
2006-07-20 21:47 26,768 C:\WINDOWS\system32\CTL3D.DLL
2006-07-20 21:47 24,976 C:\WINDOWS\CTRES.DLL
2006-07-20 21:47 24,576 C:\WINDOWS\system32\CTDevCRes.dll
2006-07-20 21:46 65,536 C:\WINDOWS\system32\A3d.dll
2006-07-20 21:46 61,440 C:\WINDOWS\MIDIDEF.EXE
2006-07-20 21:46 47,616 C:\WINDOWS\system32\P16X.dll
2006-07-20 21:46 34,304 C:\WINDOWS\system32\P16Xres.dll
2006-07-20 21:46 24,576 C:\WINDOWS\MIXERDEF.EXE
2006-07-20 21:46 20,480 C:\WINDOWS\INRES.DLL
2006-07-20 21:45 44,032 C:\WINDOWS\system32\CTsvcCDA.EXE
2006-07-20 21:45 25,088 C:\WINDOWS\system32\CTsvcCtl.EXE
2006-07-20 21:44 73,728 C:\WINDOWS\system32\CTDrmRes.dll
2006-07-20 21:44 62,976 C:\WINDOWS\system32\CTDetres.dll
2006-07-20 21:44 331,776 C:\WINDOWS\system32\CTMedEng.DLL
2006-07-20 21:44 28,672 C:\WINDOWS\system32\CTIntRes.dll
2006-07-20 21:44 24,576 C:\WINDOWS\system32\CTMERes.DLL
2006-07-20 21:44 163,840 C:\WINDOWS\system32\CTDRMUI.dll
2006-07-20 21:42 6,752 C:\WINDOWS\system32\PFMODNT.SYS
2006-07-20 21:36 155,648 C:\WINDOWS\system32\igfxres.dll
2006-07-11 19:08 94,208 C:\WINDOWS\system32\igfxext.exe
2006-07-11 19:08 32,768 C:\WINDOWS\system32\igfxexps.dll
2006-07-11 18:12 98,842 C:\WINDOWS\system32\ialmkchw.sys
2006-07-11 18:12 69,632 C:\WINDOWS\system32\oemdspif.dll
2006-07-11 18:12 37,431 C:\WINDOWS\system32\a313.sys
2006-07-11 18:12 33,335 C:\WINDOWS\system32\a311.sys
2006-07-11 18:12 33,335 C:\WINDOWS\system32\a310.sys
2006-07-11 18:12 26,167 C:\WINDOWS\system32\a309.sys
2006-07-11 18:12 120,830 C:\WINDOWS\system32\ialmsbw.sys
2006-07-11 18:12 11,319 C:\WINDOWS\system32\a314.sys
2006-07-11 18:12 11,319 C:\WINDOWS\system32\a308.sys
2006-07-11 18:11 65,536 C:\WINDOWS\system32\iAlmCoIn_v3691.dll
2006-07-11 17:52 176,128 C:\WINDOWS\system32\RcdScan.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-05 10:46 ------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-05 10:41 ------- d-------- C:\Program Files\Common Files
2006-08-04 18:31 ------- d-------- C:\Program Files\MailSkinner
2006-08-04 18:30 ------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-04 10:04 ------- d-------- C:\Program Files\Viewpoint
2006-08-03 21:45 ------- d-------- C:\Program Files\CleanUp!
2006-08-03 20:02 ------- d-------- C:\Program Files\America Online 9.0
2006-08-03 14:57 ------- d-------- C:\Documents and Settings\Willy\Application Data\Lavasoft
2006-08-03 14:56 ------- d-------- C:\Program Files\Lavasoft
2006-08-03 13:45 ------- d-------- C:\Program Files\Windows Defender
2006-08-03 13:37 ------- d-------- C:\Program Files\Common Files\AOL
2006-08-03 13:37 ------- d-------- C:\Program Files\AOL
2006-08-01 16:38 42496 --a------ C:\WINDOWS\SYSTEM32\swreg.exe
2006-08-01 16:38 40960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe
2006-08-01 16:38 288417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2006-08-01 15:58 ------- d-------- C:\Program Files\EarthLink TotalAccess
2006-07-30 01:55 ------- d-------- C:\Program Files\Common Files\aolshare
2006-07-29 22:16 ------- d-------- C:\Program Files\Norton Internet Security
2006-07-29 21:53 ------- d-------- C:\Program Files\Symantec
2006-07-29 19:40 ------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-29 19:40 ------- d-------- C:\Program Files\Actiontec
2006-07-29 19:02 255488 --a------ C:\WINDOWS\SYSTEM32\urtlic.exe
2006-07-29 18:49 ------- d-------- C:\Documents and Settings\Willy\Application Data\AOL
2006-07-29 18:43 ------- d-------- C:\Program Files\Pure Networks
2006-07-29 18:42 ------- d-------- C:\Program Files\AOL Toolbar
2006-07-29 18:42 ------- d-------- C:\Program Files\AOL Deskbar
2006-07-23 23:50 ------- d-------- C:\Program Files\AutoCAD 2002
2006-07-21 14:26 61678 --a--c--- C:\Documents and Settings\Willy\Application Data\PFP110JPR.{PB
2006-07-21 14:26 12358 --a--c--- C:\Documents and Settings\Willy\Application Data\PFP110JCM.{PB
2006-07-21 02:40 ------- d-------- C:\Program Files\SymNetDrv
2006-07-21 00:12 ------- d-------- C:\Documents and Settings\Willy\Application Data\Earthlink
2006-07-20 23:42 ------- d-------- C:\Documents and Settings\Willy\Application Data\Symantec
2006-07-20 23:32 28256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys
2006-07-20 23:30 ------- d-------- C:\Program Files\MUSICMATCH
2006-07-20 23:29 ------- d-------- C:\Program Files\Dell
2006-07-20 22:38 ------- d-------- C:\Program Files\3D Home Architect
2006-07-20 22:23 100 --a------ C:\AUTOEXEC.BAT
2006-07-20 22:21 ------- d-------- C:\Program Files\Sony Corporation
2006-07-20 22:21 ------- d-------- C:\Program Files\Common Files\muvee Technologies
2006-07-20 22:09 ------- d-------- C:\Program Files\WordPerfect Office 11
2006-07-20 22:07 ------- d-------- C:\Program Files\Common Files\Corel
2006-07-20 22:02 ------- d-------- C:\Program Files\CyberLink
2006-07-20 21:44 ------- d-------- C:\Program Files\Creative
2006-07-11 18:00 ------- d---s---- C:\Documents and Settings\Willy\Application Data\Microsoft
2006-07-11 18:00 ------- d-------- C:\Program Files\Smart Modular
2006-07-11 16:15 ------- d-------- C:\Program Files\Internet Explorer
2006-07-11 16:00 ------- d-------- C:\Program Files\Common Files\Adobe
2006-07-11 15:59 ------- d-------- C:\Program Files\Adobe
2006-07-05 23:54 ------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-07-05 23:42 ------- d-------- C:\Program Files\Windows Media Player
2006-07-05 21:15 ------- d-------- C:\Program Files\Common Files\AolCoach
2006-07-05 19:01 ------- d-------- C:\Program Files\McAfee
2006-06-19 16:20 702768 --a------ C:\WINDOWS\SYSTEM32\WgaLogon.dll
2006-06-19 15:14 ------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-06-19 14:55 ------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2006-06-13 16:01 ------- d-------- C:\Program Files\Ultimate Defender
2006-05-31 19:53 104008 --a------ C:\WINDOWS\SYSTEM32\AOLDial.dll
2006-05-24 20:06 106496 --a------ C:\WINDOWS\rtpmsi32.dll
2006-05-19 08:59 94720 --a------ C:\WINDOWS\SYSTEM32\iphlpapi.dll
2006-05-19 08:59 148480 --a------ C:\WINDOWS\SYSTEM32\dnsapi.dll
2006-05-19 08:59 111616 --a------ C:\WINDOWS\SYSTEM32\dhcpcsvc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"ICQ Lite"="C:\\Program Files\\ICQLite\\ICQLite.exe -minimize"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1154212808\\ee\\AOLSoftware.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"urtlic"="c:\\windows\\system32\\urtlic.exe urtlic"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"msci"="C:\\DOCUME~1\\Willy\\LOCALS~1\\Temp\\200683132429_mcinfo.exe /insfin"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AOL Fast Start"="\"C:\\Program Files\\America Online 9.0\\AOL.EXE\" -b"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sat 08/05/2006 12:18:17.18
ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt

ComboFix.txt

[miamifan1354]

still getting the winantispyware popups along with a few others and the screen still turns black sometimes and changes to 8bit color. Any help?

[miamifan1354]

Computer is def a lot faster after everything that we've done, but the winantispyware, some casino stuff and pcdoctor keeps showing up (popups) As for the blackout, I think I resolved that with a driver update (hasn't happen in a little while)


edit :with the winanti, it like a series of 4 popups and then it opens my AOL trying to sign on. (Computer is usually dial in, but I have it here on broadband while I try to fix it) And kaspersky wouldn't work because license had expired, but I've never used it before.

[sUBs]

Go to Start → Control Panel → Add or Remove Programs and uninstall the following programs:

• ViewPoint

Please note any other programs that you dont recognize in that list in your next response


Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...

1. In the popup box that appears, copy/paste in:
   • C:\WINDOWS\system32\urtlic.exe
2. Click the Open button.
3. Click YES when prompted to restart your computer.

After the reboot, have HJT fix these:

O4 - HKLM\..\Run: [urtlic] c:\windows\system32\urtlic.exe urtlic
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Willy\LOCALS~1\Temp\200683132429_mcinf o.exe /


Delete this folder - C:\Program Files\Viewpoint


Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on see report. Then click Save report

Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


Reboot your machine after the online scan & post fresh copies of the following logs:

1. Hijackthis
2. Combofix
3. Online scan

[sUBs]

This is to be performed after you have posted the required logs, I require you to update your copy of Sun's java. Older versions of Java have been identified as entry points for malware.

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
3. If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
4. Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
5. If you are unable to update you can manually update by going here:
   
   http://www.java.com/en/download/manual.jsp
   
   
6. After the reboot, go back into the Control Panel and double-click the Java Icon.
7. Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using.
8. Under Temporary Internet Files, click the Delete Files button.
9. There are three options in the window to clear the cache - Leave ALL 3 Checked
   • Downloaded Applets
     Downloaded Applications
     Other Files
10. Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
11. Click OK to leave the Java Control Panel.

[miamifan1354]

Combo Fix

Start Time= 06-08-06 10:24:22.95
Running from: C:\DOCUME~1\Willy\LOCALS~1\Temp\

((((((((((((((((((((((((((((((( Files Created from 2006-07-06 to 2006-08-06 ))))))))))))))))))))))))))))))))))


2006-08-06 09:19 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-06 09:19 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-05 15:13 163,840 C:\WINDOWS\system32\igfxres.dll
2006-08-01 16:49 42,496 C:\WINDOWS\system32\swreg.exe
2006-08-01 16:49 40,960 C:\WINDOWS\system32\swsc.exe
2006-08-01 16:49 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-29 18:45 173,184 C:\WINDOWS\system32\ygpss.scr
2006-07-21 00:26 65,536 C:\WINDOWS\wanmpsvc.exe
2006-07-21 00:26 24,659 C:\WINDOWS\system32\aolddial.dll
2006-07-20 23:42 91,904 C:\WINDOWS\system32\S32EVNT1.DLL
2006-07-20 22:21 854,528 C:\WINDOWS\system32\Ltwvc12n.dll
2006-07-20 22:21 78,336 C:\WINDOWS\system32\LFFAX12n.DLL
2006-07-20 22:21 43,008 C:\WINDOWS\system32\lfgif12n.dll
2006-07-20 22:21 41,472 C:\WINDOWS\system32\LTTWN12n.DLL
2006-07-20 22:21 406,528 C:\WINDOWS\system32\LTKRN12n.DLL
2006-07-20 22:21 314,880 C:\WINDOWS\system32\LFCMP12n.DLL
2006-07-20 22:21 278,528 C:\WINDOWS\system32\LTDIS12n.DLL
2006-07-20 22:21 25,600 C:\WINDOWS\system32\lfavi12n.dll
2006-07-20 22:21 227,840 C:\WINDOWS\system32\LTEFX12n.DLL
2006-07-20 22:21 166,400 C:\WINDOWS\system32\LTIMG12n.DLL
2006-07-20 22:21 155,648 C:\WINDOWS\system32\LFTIF12n.DLL
2006-07-20 22:21 122,368 C:\WINDOWS\system32\LTFIL12n.DLL
2006-07-20 22:21 121,856 C:\WINDOWS\system32\lfmpg12n.dll
2006-07-20 22:20 53,248 C:\WINDOWS\system32\SONYHCY.DLL
2006-07-20 21:47 90,112 C:\WINDOWS\Updreg.EXE
2006-07-20 21:47 84,992 C:\WINDOWS\system32\SFCVRT32.DLL
2006-07-20 21:47 82,432 C:\WINDOWS\system32\CTWFLT32.DLL
2006-07-20 21:47 53,552 C:\WINDOWS\CTCCW.DLL
2006-07-20 21:47 40,960 C:\WINDOWS\system32\AC3API.DLL
2006-07-20 21:47 26,768 C:\WINDOWS\system32\CTL3D.DLL
2006-07-20 21:47 24,976 C:\WINDOWS\CTRES.DLL
2006-07-20 21:47 24,576 C:\WINDOWS\system32\CTDevCRes.dll
2006-07-20 21:46 65,536 C:\WINDOWS\system32\A3d.dll
2006-07-20 21:46 61,440 C:\WINDOWS\MIDIDEF.EXE
2006-07-20 21:46 47,616 C:\WINDOWS\system32\P16X.dll
2006-07-20 21:46 34,304 C:\WINDOWS\system32\P16Xres.dll
2006-07-20 21:46 24,576 C:\WINDOWS\MIXERDEF.EXE
2006-07-20 21:46 20,480 C:\WINDOWS\INRES.DLL
2006-07-20 21:45 44,032 C:\WINDOWS\system32\CTsvcCDA.EXE
2006-07-20 21:45 25,088 C:\WINDOWS\system32\CTsvcCtl.EXE
2006-07-20 21:44 73,728 C:\WINDOWS\system32\CTDrmRes.dll
2006-07-20 21:44 62,976 C:\WINDOWS\system32\CTDetres.dll
2006-07-20 21:44 331,776 C:\WINDOWS\system32\CTMedEng.DLL
2006-07-20 21:44 28,672 C:\WINDOWS\system32\CTIntRes.dll
2006-07-20 21:44 24,576 C:\WINDOWS\system32\CTMERes.DLL
2006-07-20 21:44 163,840 C:\WINDOWS\system32\CTDRMUI.dll
2006-07-20 21:42 6,752 C:\WINDOWS\system32\PFMODNT.SYS
2006-07-11 19:08 36,864 C:\WINDOWS\system32\igfxexps.dll
2006-07-11 19:08 106,496 C:\WINDOWS\system32\igfxext.exe
2006-07-11 18:12 98,842 C:\WINDOWS\system32\ialmkchw.sys
2006-07-11 18:12 69,632 C:\WINDOWS\system32\oemdspif.dll
2006-07-11 18:12 37,431 C:\WINDOWS\system32\a313.sys
2006-07-11 18:12 33,335 C:\WINDOWS\system32\a311.sys
2006-07-11 18:12 33,335 C:\WINDOWS\system32\a310.sys
2006-07-11 18:12 26,167 C:\WINDOWS\system32\a309.sys
2006-07-11 18:12 120,830 C:\WINDOWS\system32\ialmsbw.sys
2006-07-11 18:12 11,319 C:\WINDOWS\system32\a314.sys
2006-07-11 18:12 11,319 C:\WINDOWS\system32\a308.sys
2006-07-11 18:11 65,536 C:\WINDOWS\system32\iAlmCoIn_v3691.dll
2006-07-11 17:52 176,128 C:\WINDOWS\system32\RcdScan.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-06 09:44 ------- d-------- C:\Program Files\Windows Defender
2006-08-06 09:43 ------- d-------- C:\Program Files\Norton Internet Security
2006-08-06 09:42 ------- d-------- C:\Program Files\Messenger
2006-08-06 09:40 ------- d-------- C:\Program Files\Internet Explorer
2006-08-06 09:38 ------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-06 09:37 ------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-08-06 09:10 ------- d-------- C:\Program Files\Common Files
2006-08-04 18:31 ------- d-------- C:\Program Files\MailSkinner
2006-08-03 21:45 ------- d-------- C:\Program Files\CleanUp!
2006-08-03 20:02 ------- d-------- C:\Program Files\America Online 9.0
2006-08-03 14:57 ------- d-------- C:\Documents and Settings\Willy\Application Data\Lavasoft
2006-08-03 14:56 ------- d-------- C:\Program Files\Lavasoft
2006-08-03 13:37 ------- d-------- C:\Program Files\Common Files\AOL
2006-08-03 13:37 ------- d-------- C:\Program Files\AOL
2006-08-01 16:38 42496 --a------ C:\WINDOWS\SYSTEM32\swreg.exe
2006-08-01 16:38 40960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe
2006-08-01 16:38 288417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2006-08-01 15:58 ------- d-------- C:\Program Files\EarthLink TotalAccess
2006-07-30 01:55 ------- d-------- C:\Program Files\Common Files\aolshare
2006-07-29 21:53 ------- d-------- C:\Program Files\Symantec
2006-07-29 19:40 ------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-29 19:40 ------- d-------- C:\Program Files\Actiontec
2006-07-29 18:49 ------- d-------- C:\Documents and Settings\Willy\Application Data\AOL
2006-07-29 18:43 ------- d-------- C:\Program Files\Pure Networks
2006-07-29 18:42 ------- d-------- C:\Program Files\AOL Toolbar
2006-07-29 18:42 ------- d-------- C:\Program Files\AOL Deskbar
2006-07-23 23:50 ------- d-------- C:\Program Files\AutoCAD 2002
2006-07-21 14:26 61678 --a--c--- C:\Documents and Settings\Willy\Application Data\PFP110JPR.{PB
2006-07-21 14:26 12358 --a--c--- C:\Documents and Settings\Willy\Application Data\PFP110JCM.{PB
2006-07-21 02:40 ------- d-------- C:\Program Files\SymNetDrv
2006-07-21 00:12 ------- d-------- C:\Documents and Settings\Willy\Application Data\Earthlink
2006-07-20 23:42 ------- d-------- C:\Documents and Settings\Willy\Application Data\Symantec
2006-07-20 23:32 28256 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\MxlW2k.sys
2006-07-20 23:30 ------- d-------- C:\Program Files\MUSICMATCH
2006-07-20 23:29 ------- d-------- C:\Program Files\Dell
2006-07-20 22:38 ------- d-------- C:\Program Files\3D Home Architect
2006-07-20 22:23 100 --a------ C:\AUTOEXEC.BAT
2006-07-20 22:21 ------- d-------- C:\Program Files\Sony Corporation
2006-07-20 22:21 ------- d-------- C:\Program Files\Common Files\muvee Technologies
2006-07-20 22:09 ------- d-------- C:\Program Files\WordPerfect Office 11
2006-07-20 22:07 ------- d-------- C:\Program Files\Common Files\Corel
2006-07-20 22:02 ------- d-------- C:\Program Files\CyberLink
2006-07-20 21:44 ------- d-------- C:\Program Files\Creative
2006-07-11 18:00 ------- d---s---- C:\Documents and Settings\Willy\Application Data\Microsoft
2006-07-11 18:00 ------- d-------- C:\Program Files\Smart Modular
2006-07-11 16:00 ------- d-------- C:\Program Files\Common Files\Adobe
2006-07-11 15:59 ------- d-------- C:\Program Files\Adobe
2006-07-05 23:54 ------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-07-05 23:42 ------- d-------- C:\Program Files\Windows Media Player
2006-07-05 21:15 ------- d-------- C:\Program Files\Common Files\AolCoach
2006-07-05 19:01 ------- d-------- C:\Program Files\McAfee
2006-06-19 16:20 702768 --a------ C:\WINDOWS\SYSTEM32\WgaLogon.dll
2006-06-19 15:14 ------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-06-19 14:55 ------- d-------- C:\Program Files\Microsoft Windows OneCare Live
2006-06-13 16:01 ------- d-------- C:\Program Files\Ultimate Defender
2006-05-31 19:53 104008 --a------ C:\WINDOWS\SYSTEM32\AOLDial.dll
2006-05-24 20:06 106496 --a------ C:\WINDOWS\rtpmsi32.dll
2006-05-19 08:59 94720 --a------ C:\WINDOWS\SYSTEM32\iphlpapi.dll
2006-05-19 08:59 148480 --a------ C:\WINDOWS\SYSTEM32\dnsapi.dll
2006-05-19 08:59 111616 --a------ C:\WINDOWS\SYSTEM32\dhcpcsvc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe"
"MMTray"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"mmtask"="c:\\Program Files\\MusicMatch\\MusicMatch Jukebox\\mmtask.exe"
"Logitech Utility"="Logi_MwX.Exe"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"ICQ Lite"="C:\\Program Files\\ICQLite\\ICQLite.exe -minimize"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1154212808\\ee\\AOLSoftware.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sun 08/06/2006 10:25:41.07
ComboFix ver 06.08.04 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt

[miamifan1354]

Online Scan


Incident Status Location

Adware:adware/navipromo Not disinfected c:\windows\system32\urtlic_nav.dat
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Willy\Application Data\tvmdmns.dll
Dialer:dialer.bny Not disinfected c:\windows\pcconfig.dat
Adware:adware/dyfuca Not disinfected c:\windows\wsem303.dll
Adware:adware/keenvalue Not disinfected c:\program files\common files\SearchUpgrader
Adware:adware/ncase Not disinfected c:\windows\system32\FLEOK
Potentially unwanted tool:application/mailskinner Not disinfected c:\program files\MailSkinner
Adware:adware/cws Not disinfected c:\documents and settings\willy\favorites\Online Gambling
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Willy\Application Data\Registry Cleaner
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/mediatickets Not disinfected Windows Registry
Adware:adware/wintools Not disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Willy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-79f31286-30bb1275.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Willy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-2f48ae70.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Willy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-2f48ae70.zip[NewURLClassLoader.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Willy\Cookies\willy@2o7[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Willy\Cookies\willy@casalemedia[1].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\Willy\Cookies\willy@casinotropez[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Willy\Cookies\willy@com[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Willy\Cookies\willy@drivecleaner[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Willy\Cookies\willy@fastclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Willy\Cookies\willy@media.fastclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Willy\Cookies\willy@mediaplex[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Willy\Cookies\willy@microsofteup.112.2o7[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Willy\Cookies\willy@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Willy\Cookies\willy@stats1.reliablestats[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Willy\Cookies\willy@www.drivecleaner[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Willy\DoctorWeb\Quarantine\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Willy\DoctorWeb\Quarantine\Process0.exe
Spyware:Spyware/BetterInet Not disinfected C:\Program Files\Common Files\SearchUpgrader\client.cfg
Potentially unwanted tool:Application/MailSkinner Not disinfected C:\Program Files\MailSkinner\OESkinner.dll
Potentially unwanted tool:Application/MailSkinner Not disinfected C:\Program Files\MailSkinner\OLSkinner.dll
Hacktool:HackTool/Jkill.A Not disinfected C:\WINDOWS\SYSTEM32\Rebate.exe[jkill.exe]
Adware:Adware/TopRebates Not disinfected C:\WINDOWS\SYSTEM32\Rebate.exe[RebateNation1.exe]
Adware:Adware/TopRebates Not disinfected C:\WINDOWS\SYSTEM32\Rebate.exe[RebateNation0.exe]
Adware:Adware/TopRebates Not disinfected C:\WINDOWS\SYSTEM32\Rebate.exe[disp5300.exe]

[miamifan1354]

HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:27:21 AM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Common Files\AOL\1154212808\ee\AOLSoftware.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cscript.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cscript.exe
C:\Documents and Settings\Willy\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,SKEYS /I
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154212808\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowsonecare.com/install/cli/1.0.0971.28/WinSSWebAgent.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134146294484
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[sUBs]

Please read the rest of this post completely before begining the fix.


Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SU B_PVER}&ar=home
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,SKEYS /I


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:

• Registry Cleaner
  TV Media

Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (make sure you get ALL of them)

• c:\windows\system32\urtlic_nav.dat
  C:\Documents and Settings\Willy\Application Data\tvmdmns.dll
  c:\windows\pcconfig.dat
  c:\windows\wsem303.dll
  c:\program files\common files\SearchUpgrader
  c:\windows\system32\FLEOK
  c:\documents and settings\willy\favorites\Online Gambling
  C:\Documents and Settings\Willy\Application Data\Registry Cleaner
  C:\Documents and Settings\Willy\DoctorWeb\
  C:\WINDOWS\SYSTEM32\Rebate.exe

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

• Delete Newsgroup cache
• Delete Newsgroup Subscriptions
• Delete Cookies

4. Click OK
5. Press the CleanUp! button to start the program.


Reboot, post a fresh Hjt log & tell me how the machine behaves now. Have you updated Java yet?

[miamifan1354]

Updates Java and everything seems to be running well. Still getting a popup now and again, but I haven't done the steps in the last post that you just made. (Got to the bottom and figured I'd update before I dive in.)

Just a real quick question. Should I delete any of the files we've downloaded. I have just see norton and ewiod but I think defender is running at the same time too. I'll start on the other stuff.. thanks for everything you've done so for me so far

[sUBs]

Quote:

Still getting a popup now and again

Please describe the pop ups. When was the last one received? What was in it?

Quote:

Should I delete any of the files we've downloaded.

We'll do that when you're clean

[miamifan1354]

Registry Cleaner
TV Media


Not on the computer