HJT Assistance

[NitWitDog]

I've taken all the necessary steps prior to posting a HJT log, so here goes.

As far as I can tell, my machine is pretty clean, but I get instances where my cursor randomly goes into "wait" mode.

Here's my log. Thanks in advance:

* * * *
Logfile of HijackThis v1.97.7
Scan saved at 4:55:47 AM, on 9/7/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINNT\CDProxyServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\Administrator\Desktop\SpyWare Stuff\4) HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wapp.verizon.net/bookmarks/bm...e&bm=yh_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/Serv...d&ltmplcache=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {32505657-9980-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...1F/wmvadvd.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...807.0255439815
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.cartoon-fridge.com/nsvplayx_vp3_mp3.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab

[Pancake]

Hi and welcome

Before we start working with your log, you are running an out of date Hijack This from a Desktop location .This needs to have its own folder.Please download HijackThis Self-installer
This is a complete installer that installs HijackThis on the computer to C:\Program Files\HijackThis.
It is important that you uninstall any previous versions by using Add/Remove programs in your control panel before installing a newer version.

=====================================

I notice you have the Sony Rootkit installed. This was a means Sony used to protect some of their Cd's. It ended up being an embarassment for Sony and they have since stopped using it. Due to risks attendant with any rootkit, I reocmmend you remove it. Check this link for more information and instructions on removing the rootkit: http://www.bleepingcomputer.com/forums/topic34904.html


Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe


Reboot and post a new HJT log please.

[NitWitDog]

I downloaded the HijackThis self-installer and installed it.

I tried using the manual instructions for removing the Sony Rootkit via the link you provided, but it didn't work. It kept stopping when a DOS window popped up giving an error message ([SWSC] Delete Service FAIL). Since that didn't work, I download and ran the .exe file provided via this link: http://www.sophos.com/support/disinfection/rkprf.html. It ran fine and came back with nothing found.

I removed the four items from the HijackThis log, ran HijackThis, and rebooted.

This is the result of my latest HijackThis scan:


Logfile of HijackThis v1.99.1
Scan saved at 2:41:18 AM, on 9/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINNT\CDProxyServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wapp.verizon.net/bookmarks/bm...e&bm=yh_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/Serv...d&ltmplcache=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.cartoon-fridge.com/nsvplayx_vp3_mp3.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: WUSB40SVC - Unknown owner - C:\Program Files\WUSB11 WLAN Monitor\WLService.exe" "WUSB11B.exe (file missing)


Thanks!

[Pancake]

The rootkit is still there....

Go to Start > Run and type

cmd

and OK. Type the below commands and hit "Enter" after each line

sc stop CD_Proxy
sc delete CD_Proxy

Type Exit to close.


Because Windows NT or 2000 does not include the SC.exe program, we will need to download a freeware alternative. Download SWSC http://www.xs4all.nl/~fstaal01/downloads/swsc.exe and save it in your Windows folder.

Click on the Start button.

Click on the Run option.

In the Open: field type cmd /k swsc delete $sys$aries and press the OK button.

Reboot your computer



Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.e xe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe

Open Windows Explorer and delete the following highlighted file/s

C:\WINNT\system32\$sys$filesystem\aries.sys
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe

Reboot and post a new HJT log..

[NitWitDog]

I downloaded SWSC and saved it in my Windows folder. I then clicked on the Start button, clicked on the Run option, and typed in the Open field cmd /k swsc delete $sys$aries and pressed the OK button.

The following was the result showing in a DOS window:

[SWSC] DeleteService FAIL

C:\Documents and Settings\Administrator>

- - - - - - - - - - - - - - - -

I attempted deleting the following entries from HijackThis, but it didn’t work, and I’m assuming its because the SWSC thing didn’t work:

O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe

O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe

- - - - - - - - - - - - - - - -

I deleted C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe, but C:\WINNT\system32\$sys$filesystem\aries.sys did not exist.

- - - - - - - - - - - - - - - -

Now what?

I've posted my most recent HijackThis log

[Pancake]

Can you post a new HJT log please...

[NitWitDog]

D'oh! Sorry about that...

Logfile of HijackThis v1.99.1
Scan saved at 12:41:38 AM, on 9/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINNT\CDProxyServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SurferNETWORK Player\SurferPlay.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wapp.verizon.net/bookmarks/bm...e&bm=yh_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/Serv...d&ltmplcache=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.cartoon-fridge.com/nsvplayx_vp3_mp3.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: WUSB40SVC - Unknown owner - C:\Program Files\WUSB11 WLAN Monitor\WLService.exe" "WUSB11B.exe (file missing)

[Pancake]

Please download The Avenger to your Desktop and unzip it.

Copy all the text contained in the code box below ( including the words "files to delete" ) by highlighting it and right clicking and selecting "Copy"

Quote:

Files to delete:
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe
C:\WINDOWS\CDProxyServ.exe

Now, start The Avenger program by clicking on its icon on your desktop. Look under "Script file to execute" and click on "Input Script Manually". Next click on the Magnifying Glass icon and a blank dialogue box will open called "View/Edit script". Position your mouse inside the box, rightclick and choose Paste. All the text above in the code box should now appear there. Click Done and click on the Green Light to begin execution of the script. Answer "Yes" twice when prompted.

The Avenger will restart your computer. (if the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)

When you have rebooted, a black command window briefly opens on your desktop, this is normal. A logfile will be created that records all actions that The Avenger performed. This log file is saved to C:\avenger.txt. The deleted files will be backed up and saved to C:\avenger\backup.zip.

Once your computer has rebooted, please post back the contents of C:\avenger.txt, a new Hijack This log.

[NitWitDog]

Avenger.txt:
------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ossnnmeg

*******************

Script file located at: \??\C:\Program Files\divadjtv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe deleted successfully.
Deletion of file C:\WINDOWS\CDProxyServ.exe failed!
Status: 0xc000014f

Completed script processing.

*******************

Finished! Terminate.

- - - - - - - - - - - - - - -

HijackThis.log:
--------------

Logfile of HijackThis v1.99.1
Scan saved at 12:56:05 AM, on 9/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\CDProxyServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wapp.verizon.net/bookmarks/bm...e&bm=yh_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/Serv...d&ltmplcache=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.cartoon-fridge.com/nsvplayx_vp3_mp3.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - Unknown owner - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.exe (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: WUSB40SVC - Unknown owner - C:\Program Files\WUSB11 WLAN Monitor\WLService.exe" "WUSB11B.exe (file missing)

* * * * * * *

The C:\WINDOWS\CDProxyServ.exe file may have been deleted the first time I ran Avenger. I ran it twice because I thought the file name for C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.e xe was wrong (the space between the '.e' and 'xe'). I hope that didn't screw things up for me.

The C:\WINDOWS\CDProxyServ.exe file is still on my machine. Should I attempt to delete it?

I won't be able to check back on this until Tuesday evening, around 7:00 PM EST.

Thanks again for all your help.

[Pancake]

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

Unknown owner - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.e xe (file missing)
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe


Please download, update and run the A2 (A squared) anti-trojan. Let it fix whatever it wants to.


Also, run this pc through the...
Panda Online virus scanner
or
Trend Micro Housecall Online virus scanner

Let it delete whatever it finds. If it cannot delete it, then post the log and we will delete it manually.


Just post new HJT log then for one more check as we may need to stop the Service for CD_Proxy

[Pancake]

If it still remains in the log...

The following steps will allow you to stop the sevice.Not sure if its the same with 2000 as it is with XP:

There is also an official patch that you can get to fix it...

http://updates.xcp-aurora.com/



Click on the Start button.

Click on the Run option.

In the Open: field type services.msc and press the OK button.


The services control panel window will open. You will see a list of services installed on your computer. Scroll down and look for a service called XCP CD Proxy. If you have this service,right click on Properties and then on Stop .

[NitWitDog]

Ok, here we go...

Panda Online virus scanner log:
------------------------------


Incident Status Location

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.go.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.ehg-dig.hitbox.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.2o7.net/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.overture.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.stat.onestat.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.paycounter.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.com.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.phg.hitbox.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ug0uscoj.default\cookies.txt[.c2.gostats.com/]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-2e05f271.zip[javainstaller/InstallerApplet.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@112.2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[3].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@as-eu.falkag[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@azjmp[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@belnk[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@c5.zedo[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ccbill[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[10].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[4].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[5].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@cgi-bin[6].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@de.uol.com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@did-it[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@entrepreneur[2].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@errorsafe[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@go[2].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@kmpads[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@mmm.media-motor[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@perf.overture[1].txt
Spyware:Cookie/Qsrch Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@qsrch[1].txt
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@research-int[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@sel.as-eu.falkag[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@uol.com[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@xiti[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000324.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000326.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000329.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000330.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000331.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000333.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000334.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000335.TXT
Spyware:Cookie/QuestionMarket Not disinfected C:\RECYCLER\NPROTECT\00000336.TXT
Spyware:Cookie/2o7 Not disinfected C:\RECYCLER\NPROTECT\00000499.TXT
Spyware:Cookie/2o7 Not disinfected C:\RECYCLER\NPROTECT\00000500.TXT
Spyware:Cookie/2o7 Not disinfected C:\RECYCLER\NPROTECT\00000504.TXT
Spyware:Cookie/2o7 Not disinfected C:\RECYCLER\NPROTECT\00000505.TXT
Spyware:Cookie/2o7 Not disinfected C:\RECYCLER\NPROTECT\00000506.TXT
Spyware:Cookie/Banner Not disinfected C:\RECYCLER\NPROTECT\00000542.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000551.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000552.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000553.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000557.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000558.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000559.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000564.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000565.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000566.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000568.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000569.TXT
Spyware:Cookie/Casalemedia Not disinfected C:\RECYCLER\NPROTECT\00000570.TXT
Spyware:Cookie/Adrevolver Not disinfected C:\RECYCLER\NPROTECT\00000573.TXT
Spyware:Cookie/Adrevolver Not disinfected C:\RECYCLER\NPROTECT\00000574.TXT
Spyware:Cookie/Adrevolver Not disinfected C:\RECYCLER\NPROTECT\00000575.TXT

- - - - - - - - - -

HijackThis Log:
--------------

Logfile of HijackThis v1.99.1
Scan saved at 10:55:20 PM, on 9/12/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\CDProxyServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WUSB11 WLAN Monitor\WLService.exe
C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://wapp.verizon.net/bookmarks/bm...e&bm=yh_search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/accounts/Serv...d&ltmplcache=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;;localhost;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.cartoon-fridge.com/nsvplayx_vp3_mp3.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/inc...ivePreQual.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: WUSB40SVC - Unknown owner - C:\Program Files\WUSB11 WLAN Monitor\WLService.exe" "WUSB11B.exe (file missing)

[Pancake]

Ok thats all looking good now.Your good to go...

You can,at your leisure, clean out the cookies and empty your recycle bin and you are then done.....




If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..

If you have not already done so, you might want to run Disk Cleanup and run it in each user's profile:

Run Disk Cleanup
Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
Please make sure the following are checked:
-- Downloaded Program Files
-- Temporary Internet Files
-- Recycle Bin
-- Temporary Files
Click "OK" and Disk Cleanup will delete those files for you.


Now that you are clean its now is a good time to flush out your restored files.

To flush the XP System Restore Points:
(Using XP, you must be logged in as Administrator to do this.)
Go to Start>Run and type msconfig Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.
Check the box labeled Turn Off System Restore.

Reboot. Go back in and turn System Restore ON. A new Restore Point will be created.

How Do I Protect My Computer Against Future Malware Now I'm Clean.

NOTE:You may have already taken some of these steps.

Update your anti-virus software & Windows operating system on a daily or weekly basis. Microsoft also distributes updates to its operating systems. These updates fix security holes or other problems that make a computer susceptible to security breaches. How to update your Windows operating system

Know What You're Installing
Check the source.
To avoid malware, make sure your software comes from a reputable source. Be particularly suspicious of sponsored software (software that relies on advertising) or software that claims to speed up your Internet connection.

Use Custom Install.
If you feel comfortable with software installation, you can choose Custom Install (as opposed to Typical Install). Custom Install allows you to select only the software components you wish to install, and leave out others (such as potential spyware).

Modify Security Settings (Internet Explorer 6)
To reduce the risk of installing malware, you can set Internet Explorer to high security mode. To do so:

Open Internet Explorer. Go to Tools > Internet Options….
On the Internet Options screen, select the Security tab, then select the Internet icon (if it is not already selected).
Under Security level for this zone, click Default Level. Set the slider to High.
Note: You may have to lower the security level to view certain Web sites.
Next, select the Trusted Sites icon. Under Security level for this zone, click Default Level. Set the slider to Medium.
Click Apply, then OK to save the changes.

Some Recommended Protection Programs

Each tool has its own strengths for identifying and removing specific types of malware. To thoroughly check your computer, its recommend that you use more than one malware removal program. Don't forget to back up your data files before starting a scan!

Some available programs are:

Ad-Aware
SpyBot Search & Destroy

Now that you are clean, to help protect your system I recommend that you get the following free programs:
SpywareBlaster to help prevent spyware from installing.
SpywareGuard to catch and block spyware .
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here is a free one for personal use:

ZoneAlarm
http://www.zonelabs.com/store/conten..._freedownloads
http://www.zonelabs.com/store/conten...g=en&lid=ho_za



Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link:

http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs:

http://www.spywarewarrior.com/asw-test-guide.htm


Here is a helpful article:
"So how did I get infected in the first place?"

http://computercops.biz/postlite7736-.html

http://www.pchelpforum.com/tutorials...t-your-pc.html

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

[NitWitDog]

Thanks for all your assistance! It's been running without incident since we finally got rid of all traces of the Sony Rootkit.

[Pancake]

Ok,thats great.