Hello, can some one take a look at this hijackthis log file for me

kbnet56 · 09-27-2006, 11:58 PM

I have run my nortons antivirus and adaware se pro along with the vx2 cleaner and it said I was clean on that end.

Logfile of HijackThis v1.99.1
Scan saved at 1:54:24 AM, on 9/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Instant Buzz\IBDaemon.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\Nmain.exe
C:\WINDOWS\Explorer.EXE
D:\hijackthis\HijackThis.exe
C:\Program Files\Windows Defender\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {AA0E41C6-7850-AD03-4758-F830E674D570} - (no file)
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\drivers\NSW2005\NAV\EXTERNAL\NORTON\APP\NAVSHEXT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: srdJHHqQq - {A8AE52F6-0204-F85C-7DC9-F9CC9DED2C4D} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\CWShredder.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**Glaswegian** · 10-03-2006, 02:24 PM

Hi and welcome to TSF.

Apologies for any delay in replying, but we have been rather busy lately.

Since it has been a few days since you first posted, please post a fresh HijackThis Log if you still need assistance.

Thank you.

kbnet56 · 10-03-2006, 09:16 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:15:07 PM, on 10/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Instant Buzz\IBDaemon.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Explorer.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {AA0E41C6-7850-AD03-4758-F830E674D570} - (no file)
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\drivers\NSW2005\NAV\EXTERNAL\NORTON\APP\NAVSHEXT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: srdJHHqQq - {A8AE52F6-0204-F85C-7DC9-F9CC9DED2C4D} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\CWShredder.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**Glaswegian** · 10-04-2006, 12:09 PM

Hi again

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean.

Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Download AVG Anti Spyware
This is a 30 day trial

Install AVG Anti Spyware
Double-click the icon on Desktop to launch AVG
On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
- I also recommend changing the "Update interval" to something more reasonable like 12 hours.

When you have finished updating, EXIT AVG Anti Spyware.

Download CWShredder and run it. Click Check for Update. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Reboot
Reboot your system in Safe Mode.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.

Uninstall Programmes
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):

InstantBuzz

HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: (no name) - {AA0E41C6-7850-AD03-4758-F830E674D570} - (no file)
O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll
O21 - SSODL: srdJHHqQq - {A8AE52F6-0204-F85C-7DC9-F9CC9DED2C4D} - (no file)

Please remember to close all other windows, including browsers then click Fix checked.

File Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Instant Buzz
C:\WINDOWS\system32\lcp361.dll

Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.

Run AVG Anti Spyware
Run AVG with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

NOTE: AVG scan may require an hour.

Reboot
Reboot your system in Normal Mode.

Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner.

1. Click Check Now and a "pop up" window will appear. *Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.

Click on See report then click Save report

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Logs required
Ewido Log
Panda Log
HijackThis Log

Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced from Normal Mode.

kbnet56 · 10-05-2006, 09:16 AM

Ok, I did everything you said, included in this post is the AVG Antispyware log
the Panda Active Active scan log, a new Hijackthis log.

If you notice, I have been unable to delete:

O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll
C:\WINDOWS\system32\lcp361.dll

When I go into Windows/system32 and manually try to delete lcp361.dll it won't delete. It says it
is being used by another person or program. I have tried to delete it from a clean boot where no programs
but basic system programs load.. to no avail. I have tried to delete it in safemode to no avail.

What my computer is doing is for no apparent reason, I do not even have to be surfing the net.. it will bring
up a full web page ad .. sometimes my speakers will just start playing some music with some advertisment like
a radio is on.. here are some of the urls of the pages that have popped up.. alot are in relation to spyware,
however.. some are totally unrelated:

http://www.winantivirus.com/download...soft&ex=1&ax=1

http://www.winantiviruspro.com/pages...d=http+com+nav

http://www.amaena.com/pastelblue/?mp...d=dn_kn_swmplx

http://70.87.13.78/ipd-cpv-adv-y-x9m.html

http://www.bizrate.com/search__cat_i...__sfsk--0.html

Here are the logs you requested:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:12:29 AM 10/5/2006

+ Scan result:

E:\Biz\Desktop2\Programs and Software\CAsino SoftWAre\casino tropez\SetupCasino.exe -> Adware.Casino : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{3933A2D4-313C-CB82-3FF9-E9660D4850AF} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1267699857-2275037637-1995648789-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AA0E41C6-7850-AD03-4758-F830E674D570} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP368\A0041682.dll -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP402\A0042816.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP402\A0042818.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP405\A0042860.dll -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP405\A0042862.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP405\A0042863.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
D:\SetupInstantBuzz.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
E:\Biz\Desktop2\Programs and Software\Euin Chia\SetupInstantBuzz.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
E:\TrackthatAd\SetupInstantBuzz.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
HKU\S-1-5-21-1267699857-2275037637-1995648789-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7475D3FD-5D85-49DB-8B9B-6968467B2D80} -> Adware.InstantBuzz : Cleaned with backup (quarantined).
HKU\S-1-5-21-1267699857-2275037637-1995648789-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B8D60EBB-5565-4392-957B-7164BA087AD4} -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP388\A0042302.dll -> Downloader.ConHook.ah : Cleaned with backup (quarantined).
C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.

::Report end

Panda Active Scan Report

Incident Status Location

Adware:adware/sahagent Not disinfected c:\windows\system32\bqrufs5f.dat
Adware:adware/psic Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Start Menu\ClickMe.url
Potentially unwanted tool:application/funweb Not disinfected c:\program files\FunWebProducts
Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyWebSearch
Spyware:spyware/apropos Not disinfected c:\program files\SysAI
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@ad.yieldmanager[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@apmebf[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@as-us.falkag[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@doubleclick[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@qksrv[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@stats1.reliablestats[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@trafficmp[1].txt
Adware:Adware/I-search.us Not disinfected C:\WINDOWS\ScrBlaze.scr
Potentially unwanted tool:Application/FunWeb Not disinfected D:\hijackthis\backups\backup-20061003-134315-836.inf

Logfile of HijackThis v1.99.1
Scan saved at 11:13:17 AM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
D:\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\Explorer.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\drivers\NSW2005\NAV\EXTERNAL\NORTON\APP\NAVSHEXT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\CWShredder.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

**Glaswegian** · 10-05-2006, 01:13 PM

Hi again

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below.

Downloads
Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Download this file - combofix.exe to your desktop. Alternative download location here.

IMPORTANT - You must place combofix on your desktop!!

Double click combofix.exe & follow the prompts.

When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.

Reboot
Reboot your system in Safe Mode.

Restart the computer. The computer begins processing a set of instructions known as BIOS.
After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
Instead of Windows loading as normal, a menu should appear
Use the arrow key to highlight Safe Mode and press Enter.

File Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

c:\windows\system32\bqrufs5f.dat
C:\Documents and Settings\Merle Miller.D9DYK641\Start Menu\ClickMe.url
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\SysAI
C:\WINDOWS\ScrBlaze.scr

Run Apropos Fix
Please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

Reboot
Reboot your system in Normal Mode.

Online Scan
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan: Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.
Copy and paste that information in your next post.

Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Logs required
combofix.txt
the log.txt file in the aproposfix folder
Kaspersky Log
HijackThis Log

Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced from Normal Mode.

kbnet56 · 10-05-2006, 10:44 PM

As far as my computer.. i think there is still some pages popping up.. they did durring the Kaspersky scan.. here are the logs you wanted..

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\aproposfix

************

Registry entries found:

************

No service found!

Removing hidden folder:
No folder found!

Deleting files:

Backing up files:
Done!

Removing registry entries:

REGEDIT4

Done!

Finished!

Merle Miller - 06-10-05 21:48:36.20 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Merle Miller.D9DYK641\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-05 to 2006-10-05 ))))))))))))))))))))))))))))))))))

2006-10-05 12:35 91,904 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2006-10-05 12:35 4,608 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys
2006-10-05 12:35 124,016 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2006-10-04 22:21 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-09-22 20:15 23,442 --a------ C:\WINDOWS\SYSTEM32\jkklm.exe
2006-09-22 20:15 16,934 --a------ C:\WINDOWS\SYSTEM32\lcp361.dll
2006-09-21 13:38 228,868 --a------ C:\WINDOWS\ScrBlaze.scr

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-05 21:09 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-05 20:07 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-05 17:27 -------- d-a------ C:\Program Files\Common Files
2006-10-05 17:27 -------- d-------- C:\Program Files\Common Files\Astech
2006-10-05 13:03 -------- d-------- C:\Program Files\Norton SystemWorks
2006-10-05 12:51 -------- d-------- C:\Program Files\Symantec
2006-10-05 12:50 -------- d-------- C:\Program Files\SymNetDrv
2006-10-05 10:20 -------- d-------- C:\Program Files\Windows Defender
2006-10-05 10:15 -------- d-------- C:\Program Files\Messenger
2006-10-05 10:15 -------- d-------- C:\Program Files\Internet Explorer
2006-10-05 10:14 -------- d-------- C:\Program Files\Google
2006-10-05 10:13 -------- d-------- C:\Program Files\Common Files\LightScribe
2006-09-29 10:06 157 --a------ C:\Documents and Settings\Merle Miller.D9DYK641\Application Data\ntl.ini
2006-09-26 13:43 -------- d-------- C:\Documents and Settings\Merle Miller.D9DYK641\Application Data\Lavasoft
2006-09-26 13:42 -------- d-------- C:\Program Files\Lavasoft
2006-09-25 06:22 -------- d-------- C:\Program Files\VistaPrint
2006-09-21 09:22 2231 --a------ C:\Documents and Settings\Merle Miller.D9DYK641\Application Data\ntl.nws
2006-09-15 22:01 -------- d-------- C:\Program Files\Header Generator
2006-09-05 23:13 -------- d-------- C:\Program Files\NoteTab Light
2006-08-31 18:59 -------- d-------- C:\Documents and Settings\Merle Miller.D9DYK641\Application Data\HP
2006-08-28 18:48 -------- d-------- C:\Program Files\MyWebSearch
2006-08-28 09:35 -------- d-------- C:\Program Files\MSN Messenger
2006-08-26 01:21 -------- d-------- C:\Program Files\eVoice Player 1.0
2006-08-23 22:03 -------- d-------- C:\Program Files\FunWebProducts
2006-08-21 18:09 -------- d---s---- C:\Documents and Settings\Merle Miller.D9DYK641\Application Data\Microsoft
2006-08-21 07:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 04:14 128896 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-07-27 08:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\\Program Files\\IncrediMail\\bin\\IncMail.exe /c"
"Norton SystemWorks"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Ulead AutoDetector v2"="C:\\Program Files\\Common Files\\Ulead Systems\\AutoDetector\\monitor.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HP Software Update"="D:\\HP\\HP Software Update\\HPWuSchd2.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,cc,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,cc,03,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkbMonitor.exe.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\NkbMonitor.exe.lnk"
"backup"="C:\\WINDOWS\\pss\\NkbMonitor.exe.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Nikon\\PICTUR~1\\NKBMON~1.EXE "
"item"="NkbMonitor.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"D:\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BuildBU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bldbubg"
"hkey"="HKLM"
"command"="c:\\dell\\bldbubg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcagent"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\McRegWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcregwiz"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcregwiz.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkUFind"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mm_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"D:\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCMService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PCMService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Sonic RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\StorageGuard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WebArmyKnife]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wak"
"hkey"="HKLM"
"command"="C:\\Program Files\\Web Army Knife\\wak.exe q"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lcp361

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061005-000959-124
O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll
backup-20061005-000959-168
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
backup-20061005-000401-364
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
backup-20061004-225153-152
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
backup-20061004-224945-366
O21 - SSODL: srdJHHqQq - {A8AE52F6-0204-F85C-7DC9-F9CC9DED2C4D} - (no file)
backup-20061004-224944-708
O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll
backup-20061004-224944-309
O19 - User stylesheet: (file missing)
backup-20061004-224944-511
O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/?
backup-20061004-224944-187
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\system32\shdocvw.dll
backup-20061004-224944-372
O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe
backup-20061004-224944-482
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
backup-20061004-224944-702
O2 - BHO: (no name) - {AA0E41C6-7850-AD03-4758-F830E674D570} - (no file)
backup-20061004-224944-254
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
backup-20061003-134315-836
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Merle Miller.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec Drmc.job

Completion time: Thu 10/05/2006 21:49:13.31
ComboFix.txt

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 06, 2006 12:37:55 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/10/2006
Kaspersky Anti-Virus database records: 229283
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 168912
Number of viruses found: 5
Number of infected objects: 12 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:39:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-07122006-115330.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AnalOralWinMain1.zip/winmain.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AnalOralWinMain1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-10-05_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{1D304FBF-F3D4-43A2-92A1-3964273995CF} Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Local Settings\Temp\Perflib_Perfdata_140.dat Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Local Settings\Temp\Perflib_Perfdata_dc4.dat Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Local Settings\Temp\Perflib_Perfdata_f4c.dat Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\ntuser.dat Object is locked skipped
C:\Documents and Settings\Merle Miller.D9DYK641\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP402\A0042817.dll Infected: not-a-virus:AdWare.Win32.InstantBuzz.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP405\A0042861.dll Infected: not-a-virus:AdWare.Win32.InstantBuzz.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP414\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\jtdloumd.fbe Infected: Trojan.Win32.Agent.md skipped
C:\WINDOWS\SYSTEM32\lcp361.dll Infected: Packed.Win32.Klone.k skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\hijackthis\backups\backup-20061004-224944-482.dll Infected: Packed.Win32.Klone.k skipped
D:\hijackthis\backups\backup-20061004-225153-152.dll Infected: Packed.Win32.Klone.k skipped
D:\hijackthis\backups\backup-20061005-000401-364.dll Infected: Packed.Win32.Klone.k skipped
D:\hijackthis\backups\backup-20061005-000959-168.dll Infected: Packed.Win32.Klone.k skipped
D:\RECYCLER\NPROTECT\00000039.EXE Infected: not-a-virus:AdWare.Win32.InstantBuzz.a skipped
D:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\RECYCLER\NPROTECT\00000003.EXE Infected: not-a-virus:AdWare.Win32.InstantBuzz.a skipped
E:\RECYCLER\NPROTECT\00000004.EXE Infected: not-a-virus:AdWare.Win32.InstantBuzz.a skipped
E:\RECYCLER\NPROTECT\00000005.EXE Infected: not-a-virus:AdWare.Win32.Casino.w skipped
E:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\RECYCLED\NPROTECT\NPROTECT.LOG Object is locked skipped
G:\RECYCLED\NPROTECT\NPROTECT.LOG Object is locked skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 12:39:19 AM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
D:\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Explorer.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\CWShredder.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

thank you
Kay Brown

**Glaswegian** · 10-06-2006, 01:47 PM

Hi again Kay

This is a stubborn one, so we’ll bring in some heavy artillery.

Registry Fix
Click on the zip file attached to this post to open and extract the file kbnet.reg to your desktop. Double click on the file kbnet.reg to run it. Answer yes to any prompts and allow it to merge into the Registry.

Delete the following folder (if it still exists)

C:\Program Files\Viewpoint

1. Please download The Avenger to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:

Files to delete:
C:\WINDOWS\system32\lcp361.dll
C:\WINDOWS\SYSTEM32\jkklm.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt at the end of this fix.

Please post back with avenger.txt and a fresh HijackThis Log.

kbnet56 · 10-06-2006, 05:37 PM

Hi.. looks like some headway was made on this one.. I sure appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 7:32:39 PM, on 10/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
D:\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll (file missing)
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: lcp361 - lcp361.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\CWShredder.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mpcinxco

*******************

Script file located at: \??\C:\WINDOWS\system32\eeiywhur.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\lcp361.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\jkklm.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Thank you..
Kay Brown

**Glaswegian** · 10-07-2006, 07:35 AM

Hi Kay

Looking better – how’s the system now?

Run a scan with HijackThis and fix these entries

O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll (file missing)
O20 - Winlogon Notify: lcp361 - lcp361.dll (file missing)

Pick any one of these online scanners and run a scan – post back with any log produced.

http://housecall.trendmicro.com/ <- - you can use Firefox for this scanner
http://www3.ca.com/virusinfo/virusscan.aspx
http://www.bitdefender.com/scan/license.php
http://us.mcafee.com/root/mfs/default.asp
http://security.symantec.com/sscv6/d...d=ie&venid=sym

kbnet56 · 10-08-2006, 09:09 PM

Hey wanted to thank you. My computer is running great now. I made a donation through paypal. thanks a lot. You guys are performing a valuable service.

**Glaswegian** · 10-09-2006, 01:55 PM

Hi again Kay

I take it the online scan was clear? And thank you for your kind donation – we appreciate that and it helps to keep this site going.

If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure.

You can go ahead and delete any special tools we used (SmitRem, SmitfraudFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and there is therefore no need to keep them.

Reset Hidden/System Files
To reset your hidden and system files:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

System Restore
To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

IMPORTANT!!!
Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections. Visit Window's Update to get the KB912919 patch if you have not already done so.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

Spyware Blaster to help prevent spyware from installing in the first place.
Spyware Guard to catch and block spyware before it can execute.
Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here.

Ad-aware
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here.

IE-SPYAD
IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here.

SnoopFree
SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon

Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Sygate Personal Firewall
ZoneAlarm
Tiny Personal Firewall

Anti Virus Software
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners:
Anti-Spyware Tutorial

Here are three very good free Antivirus products which are available:
BitDefender Free
Avast!
AVG

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

Other Protection
Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?.
Making Internet Explorer Safer.

Keep clean and safe and enjoy your computing!

Please respond to this thread one more time so we can mark this thread as resolved.

kbnet56 · 10-10-2006, 07:20 AM

I will do what you suggested. I plan on making periodic donations as you guys are truely doing something beneficial for people with nothing asked in return.. thank you again.
Kay Brown

09-27-2006, 11:58 PM	#1 (permalink)
kbnet56 Registered User Join Date: Sep 2006 Posts: 12 OS: xp	Hello, can some one take a look at this hijackthis log file for me I have run my nortons antivirus and adaware se pro along with the vx2 cleaner and it said I was clean on that end. Logfile of HijackThis v1.99.1 Scan saved at 1:54:24 AM, on 9/28/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\alg.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe D:\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Instant Buzz\IBDaemon.exe C:\Program Files\Windows Defender\MSASCui.exe D:\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\SYSTEM32\notepad.exe C:\Program Files\Common Files\Symantec Shared\Nmain.exe C:\WINDOWS\Explorer.EXE D:\hijackthis\HijackThis.exe C:\Program Files\Windows Defender\MpCmdRun.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: (no name) - {AA0E41C6-7850-AD03-4758-F830E674D570} - (no file) O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\drivers\NSW2005\NAV\EXTERNAL\NORTON\APP\NAVSHEXT.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - (no file) O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/? O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O19 - User stylesheet: (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: srdJHHqQq - {A8AE52F6-0204-F85C-7DC9-F9CC9DED2C4D} - (no file) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\CWShredder.exe (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

10-03-2006, 02:24 PM	#2 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,944 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi and welcome to TSF. Apologies for any delay in replying, but we have been rather busy lately. Since it has been a few days since you first posted, please post a fresh HijackThis Log if you still need assistance. Thank you. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-03-2006, 09:16 PM	#3 (permalink)
kbnet56 Registered User Join Date: Sep 2006 Posts: 12 OS: xp	I would appreciate if you could look at it .. thanks Logfile of HijackThis v1.99.1 Scan saved at 11:15:07 PM, on 10/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe D:\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Instant Buzz\IBDaemon.exe C:\Program Files\Windows Defender\MSASCui.exe D:\HP\Digital Imaging\bin\hpqtra08.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\Explorer.EXE D:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: (no name) - {AA0E41C6-7850-AD03-4758-F830E674D570} - (no file) O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\drivers\NSW2005\NAV\EXTERNAL\NORTON\APP\NAVSHEXT.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/? O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O19 - User stylesheet: (file missing) O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: srdJHHqQq - {A8AE52F6-0204-F85C-7DC9-F9CC9DED2C4D} - (no file) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\CWShredder.exe (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

10-04-2006, 12:09 PM	#4 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,944 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply. Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below. Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your system is clean. Show Hidden Files Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Download AVG Anti Spyware This is a 30 day trial Install AVG Anti Spyware Double-click the icon on Desktop to launch AVG On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" I also recommend changing the "Update interval" to something more reasonable like 12 hours. When you have finished updating, EXIT AVG Anti Spyware. Download CWShredder and run it. Click Check for Update. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit. Reboot Reboot your system in Safe Mode. Restart the computer. The computer begins processing a set of instructions known as BIOS. After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key) Instead of Windows loading as normal, a menu should appear Use the arrow key to highlight Safe Mode and press Enter. Uninstall Programmes Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present): InstantBuzz HijackThis Entries Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway O2 - BHO: (no name) - {AA0E41C6-7850-AD03-4758-F830E674D570} - (no file) O2 - BHO: (no name) - {B8D60EBB-5565-4392-957B-7164BA087AD4} - C:\PROGRA~1\INSTAN~1\IBBar.dll O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll O3 - Toolbar: Instant Bu&zz - {7475D3FD-5D85-49DB-8B9B-6968467B2D80} - C:\PROGRA~1\INSTAN~1\IBBar.dll O4 - HKLM\..\Run: [Instant Buzz Daemon] C:\Program Files\Instant Buzz\IBDaemon.exe O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\PROGRA~1\INSTAN~1\IBBar.dll O13 - WWW. Prefix: http://%65%68%74%74%70%2E%63%63/? O19 - User stylesheet: (file missing) O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll O21 - SSODL: srdJHHqQq - {A8AE52F6-0204-F85C-7DC9-F9CC9DED2C4D} - (no file) Please remember to close all other windows, including browsers then click Fix checked. File Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\Instant Buzz C:\WINDOWS\system32\lcp361.dll Run CleanUp! NOTE Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW! Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked. Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted. Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility. Run AVG Anti Spyware Run AVG with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine Then click Apply all actions Once finished, click the Save report button, then click Save Report As and save it to your desktop. NOTE: AVG scan may require an hour. Reboot Reboot your system in Normal Mode. Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan Click on the "Free To Use ActiveScan" located on the top right hand corner. 1. Click Check Now and a "pop up" window will appear. Please ensure that your pop up blocker doesn't block it 2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place * Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on See report then click Save report You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan Logs required Ewido Log Panda Log HijackThis Log Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced from Normal Mode. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-05-2006, 09:16 AM	#5 (permalink)
kbnet56 Registered User Join Date: Sep 2006 Posts: 12 OS: xp	I did what you asked me.. somethings wouldnt delete Ok, I did everything you said, included in this post is the AVG Antispyware log the Panda Active Active scan log, a new Hijackthis log. If you notice, I have been unable to delete: O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll C:\WINDOWS\system32\lcp361.dll When I go into Windows/system32 and manually try to delete lcp361.dll it won't delete. It says it is being used by another person or program. I have tried to delete it from a clean boot where no programs but basic system programs load.. to no avail. I have tried to delete it in safemode to no avail. What my computer is doing is for no apparent reason, I do not even have to be surfing the net.. it will bring up a full web page ad .. sometimes my speakers will just start playing some music with some advertisment like a radio is on.. here are some of the urls of the pages that have popped up.. alot are in relation to spyware, however.. some are totally unrelated: http://www.winantivirus.com/download...soft&ex=1&ax=1 http://www.winantiviruspro.com/pages...d=http+com+nav http://www.amaena.com/pastelblue/?mp...d=dn_kn_swmplx http://70.87.13.78/ipd-cpv-adv-y-x9m.html http://www.bizrate.com/search__cat_i...__sfsk--0.html Here are the logs you requested: --------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 5:12:29 AM 10/5/2006 + Scan result: E:\Biz\Desktop2\Programs and Software\CAsino SoftWAre\casino tropez\SetupCasino.exe -> Adware.Casino : Cleaned with backup (quarantined). HKLM\SOFTWARE\Classes\CLSID\{3933A2D4-313C-CB82-3FF9-E9660D4850AF} -> Adware.CoolWebSearch : Cleaned with backup (quarantined). HKU\S-1-5-21-1267699857-2275037637-1995648789-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AA0E41C6-7850-AD03-4758-F830E674D570} -> Adware.CoolWebSearch : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP368\A0041682.dll -> Adware.InstantBuzz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP402\A0042816.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP402\A0042818.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP405\A0042860.dll -> Adware.InstantBuzz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP405\A0042862.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP405\A0042863.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined). D:\SetupInstantBuzz.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined). E:\Biz\Desktop2\Programs and Software\Euin Chia\SetupInstantBuzz.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined). E:\TrackthatAd\SetupInstantBuzz.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined). HKU\S-1-5-21-1267699857-2275037637-1995648789-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7475D3FD-5D85-49DB-8B9B-6968467B2D80} -> Adware.InstantBuzz : Cleaned with backup (quarantined). HKU\S-1-5-21-1267699857-2275037637-1995648789-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B8D60EBB-5565-4392-957B-7164BA087AD4} -> Adware.InstantBuzz : Cleaned with backup (quarantined). C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP388\A0042302.dll -> Downloader.ConHook.ah : Cleaned with backup (quarantined). C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned. ::Report end Panda Active Scan Report Incident Status Location Adware:adware/sahagent Not disinfected c:\windows\system32\bqrufs5f.dat Adware:adware/psic Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Start Menu\ClickMe.url Potentially unwanted tool:application/funweb Not disinfected c:\program files\FunWebProducts Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyWebSearch Spyware:spyware/apropos Not disinfected c:\program files\SysAI Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@ad.yieldmanager[1].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@apmebf[1].txt Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@as-us.falkag[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@atdmt[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@doubleclick[2].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@qksrv[2].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@stats1.reliablestats[2].txt Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Merle Miller.D9DYK641\Cookies\merle miller@trafficmp[1].txt Adware:Adware/I-search.us Not disinfected C:\WINDOWS\ScrBlaze.scr Potentially unwanted tool:Application/FunWeb Not disinfected D:\hijackthis\backups\backup-20061003-134315-836.inf Logfile of HijackThis v1.99.1 Scan saved at 11:13:17 AM, on 10/5/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE D:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe D:\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe D:\HP\Digital Imaging\bin\hpqtra08.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\SYSTEM32\notepad.exe C:\PROGRA~1\COMMON~1\MICROS~1\Msinfo\OFFPROV.EXE C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\Explorer.EXE D:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\drivers\NSW2005\NAV\EXTERNAL\NORTON\APP\NAVSHEXT.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: lcp361 - C:\WINDOWS\SYSTEM32\lcp361.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\CWShredder.exe (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

10-05-2006, 01:13 PM	#6 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,944 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers when you are following the procedures below. Downloads Please download AproposFix from here: http://swandog46.geekstogo.com/aproposfix.exe Save it to your desktop but do NOT run it yet. Download this file - combofix.exe to your desktop. Alternative download location here. IMPORTANT - You must place combofix on your desktop!! Double click combofix.exe & follow the prompts. When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. Reboot Reboot your system in Safe Mode. Restart the computer. The computer begins processing a set of instructions known as BIOS. After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key) Instead of Windows loading as normal, a menu should appear Use the arrow key to highlight Safe Mode and press Enter. File Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. c:\windows\system32\bqrufs5f.dat C:\Documents and Settings\Merle Miller.D9DYK641\Start Menu\ClickMe.url c:\program files\FunWebProducts c:\program files\MyWebSearch c:\program files\SysAI C:\WINDOWS\ScrBlaze.scr Run Apropos Fix Please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. Reboot Reboot your system in Normal Mode. Online Scan Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note of the name(s) and location(s) of any file(s) it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan Logs required combofix.txt the log.txt file in the aproposfix folder Kaspersky Log HijackThis Log Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced from Normal Mode. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-06-2006, 05:37 PM	#9 (permalink)
kbnet56 Registered User Join Date: Sep 2006 Posts: 12 OS: xp	Hi again Hi.. looks like some headway was made on this one.. I sure appreciate it. Logfile of HijackThis v1.99.1 Scan saved at 7:32:39 PM, on 10/6/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe D:\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe D:\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\WINDOWS\system32\notepad.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\NOTEPAD.EXE D:\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll (file missing) O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HP Software Update] D:\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\shdocvw.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {A91DEB0D-AD0D-453E-9AC8-60178EC24212} - http://thesecret.tv/movie/player/vivid_ocx.jpeg O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O20 - Winlogon Notify: lcp361 - lcp361.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - d:\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Merle Miller.D9DYK641\Desktop\CWShredder.exe (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\mpcinxco ***************** Script file located at: \??\C:\WINDOWS\system32\eeiywhur.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: File C:\WINDOWS\system32\lcp361.dll deleted successfully. File C:\WINDOWS\SYSTEM32\jkklm.exe deleted successfully. Completed script processing. ***************** Finished! Terminate. Thank you.. Kay Brown

10-07-2006, 07:35 AM	#10 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,944 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi Kay Looking better – how’s the system now? Run a scan with HijackThis and fix these entries O2 - BHO: (no name) - {D3153544-0F65-496C-8F40-8147612C91A8} - C:\WINDOWS\system32\lcp361.dll (file missing) O20 - Winlogon Notify: lcp361 - lcp361.dll (file missing) Pick any one of these online scanners and run a scan – post back with any log produced. http://housecall.trendmicro.com/ <- - you can use Firefox for this scanner http://www3.ca.com/virusinfo/virusscan.aspx http://www.bitdefender.com/scan/license.php http://us.mcafee.com/root/mfs/default.asp http://security.symantec.com/sscv6/d...d=ie&venid=sym __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-08-2006, 09:09 PM	#11 (permalink)
kbnet56 Registered User Join Date: Sep 2006 Posts: 12 OS: xp	Hey wanted to thank you. My computer is running great now. I made a donation through paypal. thanks a lot. You guys are performing a valuable service.

10-09-2006, 01:55 PM	#12 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 23,944 OS: Win XP Pro SP3 / Win 7 RC My System Blog Entries: 10	Hi again Kay I take it the online scan was clear? And thank you for your kind donation – we appreciate that and it helps to keep this site going. If there are no more problems we’ll just tidy up and I’ll let you go, along with my recommendations for staying safe and secure. You can go ahead and delete any special tools we used (SmitRem, SmitfraudFix, ComboFix, etc). They won't serve a future purpose and are replaced with updated versions frequently, so the copies you have are probably already out of date and there is therefore no need to keep them. Reset Hidden/System Files To reset your hidden and system files: Click *Start.* Open *My Computer.* Select the *Tools menu* and click *Folder Options.* Select the *View* tab. Deselect the *Show hidden files and folders* option. Select the *Hide file extensions for known types* option. Select the *Hide protected operating system files* option. Click *Yes* to confirm. Click *OK.* System Restore To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK. To turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. This will create a new Restore Point. IMPORTANT!!! Please ensure that Windows is patched against the WMF exploit. This is a dangerous vulnerability that opens the door to multiple infections. Visit Window's Update to get the KB912919 patch if you have not already done so. Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here. *Ad-aware* Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here. *IE-SPYAD* IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here. *SnoopFree* SnoopFree is a real time monitor that notifies you when a programme wants to record your keystrokes or read your screen. Note that SnoopFree is only for XP systems. *MVPS Hosts File* The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. *Alternate Browsers* Try the following free alternate browsers rather than Internet Explorer Firefox Opera Maxthon *Firewalls* A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall ZoneAlarm Tiny Personal Firewall *Anti Virus Software* It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online antivirus scanners: Anti-Spyware Tutorial Here are three very good free Antivirus products which are available: BitDefender Free Avast! AVG It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. *Other Protection* Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles PC Safety & Security - What Do I Need?. Making Internet Explorer Safer. Keep clean and safe and enjoy your computing! Please respond to this thread one more time so we can mark this thread as resolved. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::Photographers Corner

10-10-2006, 07:20 AM	#13 (permalink)
kbnet56 Registered User Join Date: Sep 2006 Posts: 12 OS: xp	I will do what you suggested. I plan on making periodic donations as you guys are truely doing something beneficial for people with nothing asked in return.. thank you again. Kay Brown