Casino Popups

[Zemog]

I was getting a lot of casino popups. The five step plan seems to have rooted a lot of problems out. Here is my HJT log. Thanks for all your hard work !

Logfile of HijackThis v1.99.1
Scan saved at 5:21:51 PM, on 10/28/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {3AB22F17-CA81-E459-82F9-B66932FA86B7} - C:\WINDOWS\System32\fnjmqec.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3AB22F17-CA81-E459-82F9-B66932FA86B7} - C:\WINDOWS\System32\fnjmqec.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

[Zemog]

I forgot to say the suspect program I think is "Qoobox\purity " . It keeps coming back. I hope that helps you guys . Thanks again.

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before begining the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------


1. Download this file from one of these locations:

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe


* IMPORTANT !!! Place it on your Desktop.


2. Go to Start -> Run and then paste in this single line command & click OK

"%userprofile%\desktop\combofix.exe" /v fnjmqec

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

3. When finished, it shall produce a log for you. Post that log in your next reply.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

R3 - URLSearchHook: (no name) - {3AB22F17-CA81-E459-82F9-B66932FA86B7} - C:\WINDOWS\System32\fnjmqec.dll
O2 - BHO: (no name) - {3AB22F17-CA81-E459-82F9-B66932FA86B7} - C:\WINDOWS\System32\fnjmqec.dll

Close HijackThis now.

---------------------------------------------------------------------------------------------

Then, do this:

IMPORTANT!:


Before we can proceed any further, please use the direct link below and install Service Pack 1a (SP1a ) for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.

Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here.

**Note** If you're having trouble locating the service pack SP1a here is a direct link to download it from..

http://download.microsoft.com/downlo...p1a_en_x86.exe


Thank you for your cooperation.

---------------------------------------------------------------------------------------------


Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[Zemog]

Here is the log Thank You once again.
Logfile of HijackThis v1.99.1
Scan saved at 6:37:27 PM, on 10/31/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = CBC.CA - Canada's News, Money, Sports, Health, Technology & Science, Consumer Life, Arts, and Kids Information Source
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

[tetonbob]

Please also post the ComboFix log, located at C:\ComboFix.txt

[tetonbob]

In addition to my previous post....

You appear to have installed AVG Anti-Spyware since your first log was posted.

Did you run a scan, and act upon any finds?

Please also post it's report. It should be located at:

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports

[Zemog]

Thanks for your quick reply Here is the combofix log . The AVG report log was empty

ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator.WYLIECOYOTE\desktop"
Command switches used :: /v fnjmqec

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator.WYLIECOYOTE\My Documents\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Administrator.WYLIECOYOTE\My Documents\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\Administrator.WYLIECOYOTE\My Documents\ASEMBL~1\M?crosoft.NET
C:\QooBox\Purity\Documents and Settings\Administrator.WYLIECOYOTE\My Documents\YSTEM3~1\m?config_exe.vir


((((((((((((((((((((((((((((((( Files Created from 2006-09-31 to 2006-10-31 ))))))))))))))))))))))))))))))))))


2006-10-31 15:11 3,324,672 --a------ C:\IE6.0-KB834707-WindowsXP-x86-ENU.exe
2006-10-31 15:03 3,211,016 --a------ C:\IE6.0sp1-KB873377-Windows-2000-XP-x86-ENU.exe
2006-10-31 12:27 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-31 12:25 6,460,936 --a------ C:\avgas-setup-7.5.0.47.exe
2006-10-29 12:11 106 --a------ C:\delete.bat
2006-10-29 12:09 40,448 --a------ C:\NoLop.exe
2006-10-28 03:32 778,656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-28 03:32 4,288 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-28 03:32 27,904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-28 03:32 23,104 --a------ C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-10-27 21:40 859,856 --a------ C:\vx2cleaner_inst.exe
2006-10-25 22:02 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2006-10-25 21:53 50,176 --a------ C:\WINDOWS\system32\dpwsockx.dll
2006-10-25 21:53 214,528 --a------ C:\WINDOWS\system32\dplayx.dll
2006-10-25 21:41 16,384 --a------ C:\WINDOWS\system32\nddenb32.dll
2006-10-25 21:41 107,008 --a------ C:\WINDOWS\system32\netdde.exe
2006-10-25 21:04 84,992 --a------ C:\WINDOWS\system32\fldrclnr.dll
2006-10-25 21:04 38,400 --a------ C:\WINDOWS\system32\grpconv.exe
2006-10-25 21:04 37,376 --a------ C:\WINDOWS\system32\ntlanman.dll
2006-10-25 21:04 15,872 --a------ C:\WINDOWS\system32\linkinfo.dll
2006-10-25 19:36 831,519 --a------ C:\WINDOWS\system32\mswdat10.dll
2006-10-25 19:36 614,431 --a------ C:\WINDOWS\system32\mswstr10.dll
2006-10-25 19:36 552,989 --a------ C:\WINDOWS\system32\msrepl40.dll
2006-10-25 19:36 53,279 --a------ C:\WINDOWS\system32\msjter40.dll
2006-10-25 19:36 512,029 --a------ C:\WINDOWS\system32\msexch40.dll
2006-10-25 19:36 421,919 --a------ C:\WINDOWS\system32\msrd2x40.dll
2006-10-25 19:36 358,976 --a------ C:\WINDOWS\system32\msjetoledb40.dll
2006-10-25 19:36 348,189 --a------ C:\WINDOWS\system32\msxbde40.dll
2006-10-25 19:36 348,189 --a------ C:\WINDOWS\system32\mspbde40.dll
2006-10-25 19:36 319,517 --a------ C:\WINDOWS\system32\msexcl40.dll
2006-10-25 19:36 315,423 --a------ C:\WINDOWS\system32\msrd3x40.dll
2006-10-25 19:36 30,749 --a------ C:\WINDOWS\system32\vbajet32.dll
2006-10-25 19:36 258,077 --a------ C:\WINDOWS\system32\mstext40.dll
2006-10-25 19:36 241,693 --a------ C:\WINDOWS\system32\msjtes40.dll
2006-10-25 19:36 213,023 --a------ C:\WINDOWS\system32\msltus40.dll
2006-10-25 19:36 151,583 --a------ C:\WINDOWS\system32\msjint40.dll
2006-10-25 19:36 1,507,356 --a------ C:\WINDOWS\system32\msjet40.dll
2006-10-25 18:52 238,080 --a------ C:\WINDOWS\system32\newdev.dll
2006-10-25 18:07 400,920 --a------ C:\advisor_update.exe
2006-10-25 17:43 48,640 --a------ C:\WINDOWS\system32\browser.dll
2006-10-25 15:39 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
2006-10-25 15:39 251,392 --a------ C:\WINDOWS\system32\mstask.dll
2006-10-25 15:39 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-10-25 15:34 245,760 --a------ C:\WINDOWS\system32\wow32.dll
2006-10-25 15:34 23,040 --a------ C:\WINDOWS\system32\vdmdbg.dll
2006-10-25 15:34 13,312 --a------ C:\WINDOWS\system32\ntvdmd.dll
2006-10-25 15:25 123,392 --a------ C:\WINDOWS\system32\itss.dll
2006-10-25 15:14 316,928 --a------ C:\WINDOWS\system32\zipfldr.dll
2006-10-25 15:14 30,720 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2006-10-25 14:50 646,656 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-21 17:34 977,920 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-10-21 17:34 97,280 --a------ C:\WINDOWS\system32\txflog.dll
2006-10-21 17:34 596,480 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-10-21 17:34 499,200 --a------ C:\WINDOWS\system32\comuid.dll
2006-10-21 17:34 365,568 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-10-21 17:34 226,816 --a------ C:\WINDOWS\system32\es.dll
2006-10-21 17:34 225,280 --a------ C:\WINDOWS\system32\catsrv.dll
2006-10-21 17:34 150,528 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-10-21 17:34 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-10-21 17:34 1,177,088 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-10-21 17:33 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2006-10-21 17:32 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2006-10-21 17:32 550,400 --a------ C:\WINDOWS\system32\rtcdll.dll
2006-10-21 17:32 454,656 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-10-21 17:19 218,624 --a------ C:\WINDOWS\system32\srrstr.dll
2006-10-21 16:51 55,768 --a------ C:\WINDOWS\system32\drivers\Cpqdtct.sys
2006-10-21 13:46 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-10-21 13:46 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-10-21 13:46 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2006-10-21 13:46 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-10-21 13:46 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2006-10-20 02:48 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-10-20 02:48 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-10-20 02:48 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-10-20 02:48 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-10-20 02:48 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-10-20 02:48 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-10-19 20:12 826,936 --a------ C:\blbeta.exe
2006-10-19 19:21 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2006-10-19 17:22 2 --a------ C:\WINDOWS\system32\wtsit.exe
2006-10-15 18:22 2,180,096 --a------ C:\WINDOWS\system32\drivers\lvsvf2.sys
2006-10-15 18:15 53,248 -ra------ C:\WINDOWS\system32\InstMed.exe
2006-10-15 18:14 372,736 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2006-10-15 18:14 22,016 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2006-10-15 18:14 204,800 --a------ C:\WINDOWS\system32\LVUI2.dll
2006-10-15 18:14 204,800 --a------ C:\WINDOWS\system32\LVCodec2.dll
2006-10-15 18:14 163,328 --a------ C:\WINDOWS\system32\drivers\LV532AV.SYS
2006-10-15 18:14 106,496 --a------ C:\WINDOWS\system32\lvcoinst.dll
2006-10-15 18:13 856,064 --a------ C:\WINDOWS\system32\Ltwvc12n.dll
2006-10-15 18:13 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-10-15 18:13 466,944 --a------ C:\WINDOWS\system32\QCUI2.dll
2006-10-15 18:13 462,848 --a------ C:\WINDOWS\system32\LCamCpl.dll
2006-10-15 18:13 406,016 --a------ C:\WINDOWS\system32\ltkrn12n.dll
2006-10-15 18:13 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-10-15 18:13 215,552 --a------ C:\WINDOWS\system32\Lvkrn12n.dll
2006-10-15 18:13 164,864 --a------ C:\WINDOWS\system32\ltimg12n.dll
2006-10-15 18:13 131,072 --a------ C:\WINDOWS\system32\ltfil12n.DLL
2006-10-15 18:12 90,112 --a------ C:\WINDOWS\system32\LQCUI2.dll
2006-10-15 18:12 78,336 --a------ C:\WINDOWS\system32\lffax12n.dll
2006-10-15 18:12 328,704 --a------ C:\WINDOWS\system32\LFCMP12n.DLL
2006-10-15 18:12 30,720 --a------ C:\WINDOWS\system32\lfbmp12n.dll
2006-10-15 18:12 259,072 --a------ C:\WINDOWS\system32\LTDIS12n.dll
2006-10-15 18:12 207,872 --a------ C:\WINDOWS\system32\ltefx12n.dll
2006-10-15 18:12 141,312 --a------ C:\WINDOWS\system32\lftif12n.dll
2006-10-15 17:34 44,032 -ra------ C:\WINDOWS\system32\msxml3r.dll
2006-10-15 16:26 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-10-13 16:56 3,513,168 --a------ C:\sp26752.exe
2006-10-13 13:00 198,424 --a------ C:\WINDOWS\system32\iuengine.dll
2006-10-12 17:45 8,064 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2006-10-12 17:45 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2006-10-12 17:45 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2006-10-12 17:45 14,592 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys
2006-10-12 17:45 10,752 --a------ C:\WINDOWS\system32\drivers\SLIP.sys
2006-10-12 17:44 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2006-10-12 17:44 16,256 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2006-10-12 17:43 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-10-12 17:35 65,536 --a------ C:\WINDOWS\system32\MFC71DEU.DLL
2006-10-12 17:35 61,440 --a------ C:\WINDOWS\system32\MFC71ITA.DLL
2006-10-12 17:35 61,440 --a------ C:\WINDOWS\system32\MFC71ESP.DLL
2006-10-12 17:35 57,344 --a------ C:\WINDOWS\system32\MFC71ENU.DLL
2006-10-12 17:35 49,152 --a------ C:\WINDOWS\system32\MFC71KOR.DLL
2006-10-12 17:35 49,152 --a------ C:\WINDOWS\system32\MFC71JPN.DLL
2006-10-12 17:35 45,056 --a------ C:\WINDOWS\system32\MFC71CHT.DLL
2006-10-12 17:35 40,960 --a------ C:\WINDOWS\system32\MFC71CHS.DLL
2006-10-12 17:35 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2006-10-12 17:35 1,047,552 --a------ C:\WINDOWS\system32\MFC71u.dll
2006-10-08 02:16 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2006-10-08 02:11 6,512,888 --a------ C:\winamp53_full_emusic-7plus.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-31 16:01 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-31 15:57 -------- d-------- C:\Program Files\321Studios
2006-10-31 15:54 -------- d-------- C:\Program Files\BitComet
2006-10-31 15:21 -------- d-------- C:\Program Files\backups
2006-10-31 13:20 4367 --a------ C:\Program Files\hijackthis.log
2006-10-31 12:27 -------- d-------- C:\Program Files\Grisoft
2006-10-30 23:28 -------- d-------- C:\Program Files\Windows Media Player
2006-10-30 23:28 -------- d-------- C:\Program Files\Winamp
2006-10-30 23:25 -------- d-------- C:\Program Files\QuickTime
2006-10-30 23:25 -------- d-------- C:\Program Files\NavNT
2006-10-30 23:19 -------- d-------- C:\Program Files\Internet Explorer
2006-10-30 23:19 -------- d-------- C:\Program Files\IE New Window Maximizer
2006-10-30 23:19 -------- d-------- C:\Program Files\Google
2006-10-29 16:10 -------- d-------- C:\Program Files\SpeedFan
2006-10-28 11:19 -------- d-------- C:\Program Files\Common Files
2006-10-28 03:33 -------- d-------- C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\AVG7
2006-10-28 03:08 -------- d-------- C:\Program Files\WinRAR
2006-10-27 21:14 -------- d-------- C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\MSN6
2006-10-27 19:29 -------- d-------- C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Lavasoft
2006-10-27 19:28 -------- d-------- C:\Program Files\Lavasoft
2006-10-25 23:54 -------- d-------- C:\Program Files\Outlook Express
2006-10-25 23:54 -------- d-------- C:\Program Files\Common Files\System
2006-10-25 23:35 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-25 23:31 -------- d-------- C:\Program Files\Common Files\Services
2006-10-21 17:34 -------- d-------- C:\Program Files\NetMeeting
2006-10-21 16:44 -------- d-------- C:\Program Files\HP
2006-10-21 13:39 -------- d-------- C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Google
2006-10-21 12:24 -------- d-------- C:\Program Files\webcamXP
2006-10-21 12:23 -------- d-------- C:\Program Files\Deskshare
2006-10-21 12:23 -------- d-------- C:\Program Files\Common Files\DeskShare Shared
2006-10-20 02:48 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-19 20:07 -------- d-------- C:\Program Files\CCleaner
2006-10-19 19:48 -------- d-------- C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Leadertech
2006-10-19 19:46 -------- d-------- C:\Program Files\Diskeeper Corporation
2006-10-19 19:21 -------- d-------- C:\Program Files\Belarc
2006-10-19 18:52 218112 --a------ C:\Program Files\HijackThis.exe
2006-10-19 18:49 18450960 --a------ C:\Program Files\avg71free_407a808.exe
2006-10-19 18:42 -------- d-------- C:\Program Files\CyberTweak
2006-10-15 18:14 -------- d-------- C:\Program Files\Common Files\Logitech
2006-10-15 17:28 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-12 17:35 -------- d-------- C:\Program Files\Logitech
2006-10-12 17:34 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-09-28 08:37 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-12 20:18 316496 --a------ C:\814.exe
2006-09-12 20:17 184795 --a------ C:\WINDOWS\YazzleBundle-1264.exe
2006-09-11 12:20 12943784 --a------ C:\20060910-037-i32.exe
2006-09-05 20:31 -------- d-------- C:\Program Files\DivX
2006-09-04 22:24 -------- d-------- C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Symantec
2006-09-04 15:18 -------- d-------- C:\Program Files\Unlocker
2006-09-03 14:08 -------- d-------- C:\Program Files\Online Services
2006-09-03 14:08 -------- d-------- C:\Program Files\MSN
2006-09-03 14:07 517 --a------ C:\Program Files\Common Files\meco
2006-09-03 13:34 9899 --a------ C:\Program Files\321Studios.torrent
2006-08-24 19:47 115880 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-08-04 07:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 07:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Window Washer"="C:\\Program Files\\Webroot\\Washer\\wwDisp.exe"
"IE New Window Maximizer"="C:\\Program Files\\IE New Window Maximizer\\iemaximizer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"vptray"="C:\\PROGRA~1\\NavNT\\vptray.exe"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"LVCOMSX"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableCAD"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=dword:00000002
"RemoteRegistry"=dword:00000002
"RasMan"=dword:00000003
"RasAuto"=dword:00000003

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-31 16:12:39.88
C:\ComboFix.txt ... 06-10-31 16:12

[Zemog]

Sorry, I forgot to elaborate. I beleive the avgscan was acted upon but I have no idea why the log is empty.

[tetonbob]

OK, then...I'll ask you to run another scan with it, after updating definitions and using the settings I indicate. We may find nothing, but I'd like you to invest the time.

I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run AVG Anti-Spyware

• From the main screen, click on update, then click the Start
  update button.
• After the update finishes (the status bar at the bottom will display "Update
  successful")
• select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
• Select "Automatically generate report after every scan"
• Un-Select "Only if threats were found"
• Exit AVG Anti-Spyware. DO NOT scan yet.

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs...p_whichcpu.exe


Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.


Delete the following (if they exist):

C:\814.exe
C:\WINDOWS\YazzleBundle-1264.exe
C:\WINDOWS\system32\wtsit.exe

---------------------------------------------------------------------------------------------

Run Cleanup! using the following configuration:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files (if present)
• Cleanup! All Users
• Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.

Click OK
Press the CleanUp! button to start the program.. Do NOT Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Restart in normal mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan http://www.pandasoftware.com/products/activescan.htm

Click on the "Free To Use ActiveScan" located on the top right hand corner

1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

*Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

Create an uninstall list:

With HiJackThis still open

• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on the Box that says "Open Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from the notepad file into your post

---------------------------------------------------------------------------------------------

Please return with results from:

AVG Anti-Spyware
Panda
HJT

[Zemog]

Here is the avg scan I have another cleaner program "ccleaner" is that allright? I did a panadasacan this afternoon I will look for the report , is that allright?
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:29:06 PM 10/31/2006

+ Scan result:



C:\System Volume Information\_restore{2C797CAE-CADD-461C-9146-28EA092D4FB9}\RP248\A0020860.dll -> Adware.EZula : No action taken.
C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Adware.MediaMotor : No action taken.
C:\System Volume Information\_restore{2C797CAE-CADD-461C-9146-28EA092D4FB9}\RP248\A0020909.dll -> Adware.PurityScan : No action taken.
C:\Program Files\MSN\mehe.html -> Hijacker.Small.jf : No action taken.
C:\Program Files\Online Services\pokodecu.html -> Hijacker.Small.jf : No action taken.
C:\Program Files\folder.js -> Hijacker.Small.jf : No action taken.
C:\Documents and Settings\Administrator.WYLIECOYOTE\Local Settings\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\Cache(2)\D536F398d01 -> Not-A-Virus.Exploit.HTML.CodeBaseExec : No action taken.
:mozilla.18:C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.20:C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.21:C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.19:C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.


::Report end

[tetonbob]

It appears as though you either saved this log before taking the proscribed actions,

Quote:

C:\System Volume Information\_restore{2C797CAE-CADD-461C-9146-28EA092D4FB9}\RP248\A0020860.dll -> Adware.EZula : No action taken.
C:\WINDOWS\Downloaded Program Files\amm06.ocx -> Adware.MediaMotor : No action taken.
C:\System Volume Information\_restore{2C797CAE-CADD-461C-9146-28EA092D4FB9}\RP248\A0020909.dll -> Adware.PurityScan : No action taken.
C:\Program Files\MSN\mehe.html -> Hijacker.Small.jf : No action taken.
C:\Program Files\Online Services\pokodecu.html -> Hijacker.Small.jf : No action taken.

or did not set the tool correctly.

Quote:

# select the "Settings" tab.
# Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
# Under "Reports"
# Select "Automatically generate report after every scan"
# Un-Select "Only if threats were found"

It should be set to Quarantine. Please run the scan again, and have the tool Quarantine all items

CCleaner is fine...I'd rather see a new online scan, as it will show me what's left after this fix, but show me the one you did, and we'll move forward. I may have you run a different online scan, as one may find what another does not.

[Zemog]

I think this is the panda scan, I forgot to run the anti-spy in safe mode. I will do that now. I ran the ccleaner with the parameters you set. Thanks once again here is the active scan i hope it is ok let me know
Incident Status Location

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.overture.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Cookies\administrator@2o7[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Cookies\administrator@bluestreak[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Cookies\administrator@overture[2].txt
Virus:Eicar.Mod Not disinfected C:\Program Files\pestpatrol\Help.chm[/HowCanITestDetection.html]
Possible Virus. Renamed C:\QooBox\Purity\Documents and Settings\Administrator.WYLIECOYOTE\My Documents\YSTEM3~1\m?config.exe
Possible Virus. Not disinfected C:\WINDOWS\system32\fnjmqec.dll
Virus:Trj/PayClicker.EC Disinfected C:\WINDOWS\system32\nsyDC.dll
Adware:Adware/PurityScan

[Zemog]

I did what you said and set it to quarantine, but when the scan finished it would only alllow me to delete; quarantine was greyed out. Anyway here is the unininstall list, the HJT log and the avg report. I will do the pandascan after this post . The Grisoft "Quarantine file" has 8 data files in it, I think it was the first avg scan. Does this help?
Thanks for your patience.

Here is the list

Ad-Aware SE Professional
Adobe Reader 7.0.7
AVG Anti-Spyware 7.5
AVG Free Edition
Belarc Advisor 7.2
CCleaner (remove only)
CyberTweak Version 1.3 Final
Diskeeper Professional Premier Edition
DivX
DivX Converter
DivX Player
DivX Web Player
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Kaspersky Online Scanner
Labtec WebCam Software
Labtec® Camera Driver
Lavasoft VX2 Cleaner
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player 8
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (1.5.0.3)
Nero 6 Ultra Edition
Norton AntiVirus Corporate Edition
OLYMPUS CAMEDIA Master 2.5
Outlook Express Q823353
Panda ActiveScan
PowerDVD
SpeedFan (remove only)
Spybot - Search & Destroy 1.4
Unlocker 1.7.8
WebCam Monitor 3.66
Winamp (remove only)
Window Washer
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873376
Windows XP Hotfix (SP2) Q819696
Windows XP Service Pack 1a
WINner Tweak Registry Cleaner XP 1.0.2
WinRAR archiver
Xenon Inc. WarDrive ToolBox

The avg


---------------------------------------------------------

+ Created at: 12:55:28 AM 11/1/2006

+ Scan result:



:mozilla.18:C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.


::Report end


HJT

Logfile of HijackThis v1.99.1
Scan saved at 1:09:56 AM, on 11/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = CBC.CA - Canada's News, Money, Sports, Health, Technology & Science, Consumer Life, Arts, and Kids Information Source
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

[Zemog]

Here is the fresh pandascan. Thanks

Incident Status Location

Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator.WYLIECOYOTE\Application Data\Mozilla\Firefox\Profiles\96rxahom.default\cookies.txt[.mediaplex.com/]
Virus:Eicar.Mod Not disinfected C:\Program Files\pestpatrol\Help.chm[/HowCanITestDetection.html]
Possible Virus.

[tetonbob]

Clear your Firefox cookies. From the open browser, go toTools>Options>Privacy>Cookies>Clear

Clear your IE cookies. Start>Settings>Control Panel>Internet Options>General tab>under Temporary files, click on Delete Cookies.

How is your system behaving now, please? Any more popups?

[Zemog]

Hi Tetonbob,

I appologize for not getting back to you, I thought I had . I replied to your last post and was waiting for your reply but I guess it never got sent. My comp is much better but the Qoobox/purity file is still there. I also feel it is booting a little slow. Maybe due to startup progs though. I was looking for this thread to ask if my cleaning was complete when I noticed my last post was not sent. Any way should I do another HJT log and post it? Sorry about the mix up. Thank You and talk to you soon.

[tetonbob]

Quote:

but the Qoobox/purity file is still there

Can you be more specific about this?

You noted this early on....C:\Qoobox is a quarantine folder for ComboFix, but you were talking about this Qoobox/purity file before I had you run the tool.

What is alerting you to it's presence, and what is the exact location? If you're talking about Combo's Quarantine folder, C:\Qoobox, it can be deleted now.

Yes, please do post a new HJT log.

[Zemog]

Hi Tetonbob

The path looks like this c:\qoobox\purity\documents and settings\My Documents\Administrator\assembly~1\microsoft.net and \ystem3~1\msconfig_exe.vir . Here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 1:13:43 PM, on 11/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

[tetonbob]

Did you run ComboFix before I had you do it?

Quote:

What is alerting you to it's presence?

Are you just that aware of things, or is one of your programs telling you about it?

In any event, you can delete C:\Qoobox

Please, now do this:

I see you have msconfig enabled. This may prevent us from seeing everything running on your system. Please re-enable all startup items.

Go to Start>Run type or copy/paste msconfig and then press Enter.

Select Normal Startup - Load all Device Drivers and Services

Do NOT reboot your system when prompted.

Post a new HJT log, and please try to answer all the questions. Thanks.

[Zemog]

Hello,

I had manually tried to remove this file before, but it kept reinventing itself. I just knew it didn't belong and have been looking for it. I'm not having anymore popup problems but the presence of this file is bothering me. No, I don't think I did do the combofix before you asked. I have disabled my system restore and deleted all but the most current restore points after your initial fixes. I will try to delete Qoobox right now. I hope I have answered all your questions. Thanks once again. Here is the log:


Logfile of HijackThis v1.99.1
Scan saved at 7:33:36 AM, on 11/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe