Weird secretive viruses and spyware

[silversquire848]

Before I start, I would like to express my appreciation for anyone who helps me with this issue, I greatly appreciate your help.

I have used this site before for my problems and it has greatly helped me.

My problem is that recently, weird things have been downloaded onto my desktop without my consent or anyone who uses this computer's consent.

Also in the history of Mozilla firefox, the browser i usually use, bad websites have been displayed but i never visited any of them.

This has been slowly getting worse. I don't know what I did wrong and I really need help. I think it is a hard to find spyware or virus but i'm not sure,
PLEASe HELP

[silversquire848]

First of all, weird things keep happennig to my desktop, For instance, in my icon tray in the lower right hand corner a blank bublble appears and refuses to go away unless i click on it. Also movie clipos that i didn't download keep appearing on my desktop. Some one please help.


bump.

[forhockey]

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

Please be patient with me during this time.

---------------------------------------------------------------------------------------------

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

[silversquire848]

Thank you for helping me I really appreciate it.

Here is main.txt, copied word for word:

---------------------------------------------------------------
Deckard's System Scanner v20070426.43
Run by smith on 2007-05-09 at 22:52:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
59: 2007-05-10 02:52:21 UTC - RP127 - Deckard's System Scanner Restore Point
58: 2007-05-08 22:38:28 UTC - RP126 - System Checkpoint
57: 2007-05-06 00:23:53 UTC - RP125 - System Checkpoint
56: 2007-05-03 20:04:18 UTC - RP124 - System Checkpoint
55: 2007-05-01 02:08:32 UTC - RP123 - System Checkpoint


-- First Restore Point --
1: 2007-02-08 19:19:23 UTC - RP69 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as smith.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:52:34 PM, on 5/9/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Documents and Settings\smith\My Documents\dss.exe
C:\HJT\HIJACK~1\smith.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/060...ie06071909.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...76/mcfscan.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neut...cab?10,0,910,0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SQL Server (VPINSTANCE) (MSSQL$VPINSTANCE) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sVPINSTANCE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


-- HijackThis Fixed Entries (C:\HJT\HIJACK~1\backups\) -------------------------

backup-20061024-213528-637 O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
backup-20061024-213528-857 O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
backup-20061024-213528-940 O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - (no file)
backup-20061025-204909-180 O2 - BHO: (no name) - {d869742a-e5d2-4624-96c7-aae26170665e} - (no file)
backup-20061025-204909-794 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20061025-204909-959 O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>


-- Scheduled Tasks -------------------------------------------------------------

2007-03-09 19:30:00 354 --a------ C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DELL3100-Rashmin).job


-- Files created between 2007-04-09 and 2007-05-09 -----------------------------

2007-04-09 17:00:27 0 d-------- C:\Program Files\DellSupport


-- Find3M Report ---------------------------------------------------------------

2007-05-05 18:27:39 0 d-------- C:\Documents and Settings\smith\Application Data\AVG7
2007-04-28 15:51:59 3350 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-28 15:51:57 88 -r-hs---- C:\WINDOWS\system32\72F6291B7C.sys
2007-04-13 03:08:39 10752 --a------ C:\Documents and Settings\smith\Application Data\dvd.bmk
2007-04-09 17:08:28 0 d--h----- C:\Documents and Settings\smith\Application Data\Gtek


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5CA3D70E-1895-11CF-8E15-001234567890} C:\WINDOWS\System32\DLA\DLASHX_W.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar3.dll
{CA6319C0-31B7-401E-A518-A07C3DB8F777} C:\Program Files\BAE\BAE.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Norton Ghost 10.0"="\"C:\\Program Files\\Norton Ghost\\Agent\\GhostTray.exe\""
"MMTray"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~3\\mm_tray.exe"
"ISUSPM Startup"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
@=""
"DLA"="C:\\WINDOWS\\System32\\DLA\\DLACTRLW.EXE"
"MSKDetectorExe"="C:\\Program Files\\McAfee\\SpamKiller\\MSKDetct.exe /uninstall"
"Corel Photo Downloader"="C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"=""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"DellSupport"="\"C:\\Program Files\\DellSupport\\DSAgnt.exe\" /startup"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_VPROEVENTMONITOR


-- End of Deckard's System Scanner: finished at 2007-05-09 at 22:53:02 ---------

[silversquire848]

Another weird thing that i would like to mention is that a weird window keeps popping up.
It's titled: Sonic Update Manager.
It says: the feature you are trying to use is on a CD-Rom or other removable disk that is not available. Insert the 'Sonic Update Manger' disk and click OK


When i click cancel another message box pops up saying:
An installation package for the product Sonic Update Manger cannot be found. Try the installation again using a valid copy of the installation package 'UM.MSI'.

When I click OK again, it says: please wait while Windows configures Sonic update manager.

. . . and then it goes back to the first message box and it's a continous loop.
The only way i can stop it is by using task manager to end task.
I hope that the virus or whatever it is hasn't deleted my installation files for the Sonic program. Also in my icon tray, there appears to be a gap where there is no icon displayed. This keeps getting weirder and weirder everyday.
Please help before something irreparable happens.

[forhockey]

Please save these instructions to Notepad as the internet will not be available to you at certain points of the removal process.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below.
Make sure to work through all the Steps in the exact order in which they are listed below.
If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Do not run option #2 unless instructed to!!

---------------------------------------------------------------------------------------------

Update AVG Anti-Spyware

I see you have AVG Anti-Spyware already. Please update it's definitions, and run a scan where I have placed it in this fix.

Run AVG Anti-Spyware

• From the main screen, click on update, then click the Start
  update button.
• After the update finishes (the status bar at the bottom will display "Update
  successful")
• select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
• Select "Automatically generate report after every scan"
• Un-Select "Only if threats were found"
• Exit AVG Anti-Spyware. DO NOT scan yet.

---------------------------------------------------------------------------------------------

Enter Safe Mode

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
3. Instead of Windows loading as normal, a menu should appear
4. Use the up arrow key to highlight Safe Mode and press Enter.
5. Login with your usual account
6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

---------------------------------------------------------------------------------------------

Run AVG Anti-Spyware

Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

• Click Scanner
• Click on the Scan tab
• Click Complete System Scan to begin scanning.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

---------------------------------------------------------------------------------------------

Restart your computer in Normal Mode.

---------------------------------------------------------------------------------------------

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------------------------------------

Please include the following in your next reply:

SmitfraudFix Results
AVG Anti-Spyware log
Panda Results

[forhockey]

Hi silversquire848,

In addition to my previous instructions, please locate and post this log, please. It may help us with your Sonic issue.

C:\Deckard\System Scanner\moved.txt

[silversquire848]

Before I post the logs in my next post, I would just like to tell you some other things and clarify some issues.

first of all, the SONIC issue now started happening with my COREL PHOTOALBUM and the same message pops up. I think I should revert back to one of my System Restore points or sooner or later this will happen to all my programs. Should I do this and why is this happening?

Second, in the panda scan, (included in next post) the first item is the smitfraud, however the second item's location was: C:\sUBs\TSF\nircmd.exe
Why is TSF in the name?

third, when i ran pandascan the first time, there was a virus that was detected and disinfected, however the computer was accidentally shut down so the report was never produced. The second time I ran pandascan I was able to complete it thoroughly so even though the virus won't appear in the log it was there and it was disinfected.

fourth, the gap in my icon tray is still there and won't go away. sometimes a bubble appears over the tray with nothing in it.

I hope I clarified some issues. As for my questions, i would appreciate it if you could answer them in your next post. Thanks.

[silversquire848]

Hi here are all the logs.




--------------------------------------------------------------------------
here is the smitfruad fix results:

SmitFraudFix v2.181

Scan done at 17:09:13.42, Fri 05/11/07
Run from C:\Documents and Settings\smith\My Documents\Virus logs\May 2007\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\smith


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\smith\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\smith\FAVORI~1

C:\DOCUME~1\smith\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{94CF50FD-37A8-4DF2-AB18-5CB620390F87}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{94CF50FD-37A8-4DF2-AB18-5CB620390F87}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{94CF50FD-37A8-4DF2-AB18-5CB620390F87}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End




--------------------------------------------------------------------------
here is AVG anti-spyware log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:12:15 PM 5/11/07

+ Scan result:



:mozilla.13:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.18:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.20:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.21:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.24:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.17:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.12:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.6:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.7:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.8:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.9:C:\Documents and Settings\smith\Application Data\Mozilla\Firefox\Profiles\3l32d6kc.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.


::Report end



--------------------------------------------------------------------------
here are the pandascan results:


Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\smith\My Documents\Virus logs\May 2007\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\sUBs\TSF\nircmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe




Again, thanks for your help.

[silversquire848]

I'm sorry I forgot to post the last one you mentioned. here it is:



Directories/Files moved to C:\Deckard\System Scanner\backup

2007-05-04 16:10:14 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\2nm44.tmp
2007-04-05 00:12:41 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\2qi164.tmp
2007-05-03 17:19:52 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\3xy4E.tmp
2007-04-05 00:08:56 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\60f13D.tmp
2007-05-04 15:42:32 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\6hk1F.tmp
2007-05-04 16:26:32 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\74649.tmp
2007-04-15 2222 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\7naDE.tmp
2007-05-03 17:04:23 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\9kr4B.tmp
2007-05-03 00:39:26 0 d-------- C:\DOCUME~1\smith\LOCALS~1\Temp\Adobe
2007-04-30 21:08:18 0 d-------- C:\DOCUME~1\smith\LOCALS~1\Temp\aolbartcache
2007-05-09 22:22:29 270 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\AUInst.log
2007-04-30 14:40:26 49238 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\b245_appcompat.txt
2007-05-03 17:05:54 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\cl84C.tmp
2007-05-04 04:31:16 12936 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\control.xml
2007-04-29 22:36:26 419 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\DelUS.bat
2007-04-25 17:55:48 43912 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\dxdiag.txt
2007-05-03 16:58:51 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\e6q49.tmp
2007-04-15 21:52:54 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\efdD5.tmp
2007-05-02 19:10:43 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\fla1E.tmp
2007-05-02 19:12:57 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\fla20.tmp
2007-05-04 16:28:44 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\gor4A.tmp
2007-04-09 17:00:18 159 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\GTDown.log
2007-05-03 16:43:05 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\gx246.tmp
2007-04-15 22:04:02 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\h6hDC.tmp
2007-04-28 15:19:58 0 d-------- C:\DOCUME~1\smith\LOCALS~1\Temp\hsperfdata_smith
2007-04-16 09:13:55 1994 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\IMT24.xml
2007-04-16 09:13:56 426 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\IMT25.xml
2007-04-16 09:13:56 707340 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\IMT26.xml
2007-04-09 16:59:51 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\InCD.tmp
2007-04-09 17:00:33 270 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\InstallChannel.log
2007-04-09 16:59:58 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\is17.tmp
2007-04-05 00:20:13 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\ius18C.tmp
2007-05-05 21:49:29 4190 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\java_install_reg.log
2007-04-15 21:52:47 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\jr7D1.tmp
2007-05-09 22:27:10 28400 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\jusched.log
2007-05-04 15:34:50 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\k3019.tmp
2007-04-15 21:55:57 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\lbcD6.tmp
2007-04-19 01:24:06 0 d-------- C:\DOCUME~1\smith\LOCALS~1\Temp\msohtml
2007-05-03 02:37:00 0 d-------- C:\DOCUME~1\smith\LOCALS~1\Temp\msohtml1
2007-04-20 21:17:46 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\owq60.tmp
2007-04-10 09:33:45 16384 --a-----t C:\DOCUME~1\smith\LOCALS~1\Temp\Perflib_Perfdata_270.dat
2007-04-11 09:52:15 16384 --a-----t C:\DOCUME~1\smith\LOCALS~1\Temp\Perflib_Perfdata_5a8.dat
2007-04-16 15:18:55 16384 --a-----t C:\DOCUME~1\smith\LOCALS~1\Temp\Perflib_Perfdata_9b0.dat
2007-04-30 20:51:46 16384 --a-----t C:\DOCUME~1\smith\LOCALS~1\Temp\Perflib_Perfdata_bf8.dat
2007-04-15 19:54:24 16384 --a-----t C:\DOCUME~1\smith\LOCALS~1\Temp\Perflib_Perfdata_ca4.dat
2007-05-07 17:24:26 16384 --a-----t C:\DOCUME~1\smith\LOCALS~1\Temp\Perflib_Perfdata_cac.dat
2007-05-08 17:18:53 16384 --a-----t C:\DOCUME~1\smith\LOCALS~1\Temp\Perflib_Perfdata_f4.dat
2007-04-09 16:59:55 159 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\qdiagd.log
2007-04-09 16:59:10 229 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\qdiagd_2.log
2007-04-15 22:01:24 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\r37D7.tmp
2007-04-15 22:07:55 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\s1tE0.tmp
2007-05-03 17:17:33 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\s764D.tmp
2007-05-04 16:24:50 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\sze48.tmp
2007-04-15 21:50:14 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\tk1CD.tmp
2007-04-30 21:18:26 178 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\toasterWrite1.html
2007-04-05 00:17:13 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\u0w17D.tmp
2007-05-03 17:03:04 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\u2m4A.tmp
2007-04-15 2248 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\u8zDF.tmp
2007-04-06 20:33:43 0 d-------- C:\DOCUME~1\smith\LOCALS~1\Temp\VBE
2007-04-06 20:33:43 0 d-------- C:\DOCUME~1\smith\LOCALS~1\Temp\Word8.0
2007-05-04 15:45:21 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\ym420.tmp
2007-05-03 16:48:52 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\yni48.tmp
2007-04-20 21:24:55 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\z6d67.tmp
2007-05-03 16:46:58 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\z8e47.tmp
2007-04-04 23:53:50 0 --a------ C:\DOCUME~1\smith\LOCALS~1\Temp\zouD0.tmp
2007-04-22 00:30:24 0 d-------- C:\DOCUME~1\smith\LOCALS~1\Temp\{30465B6C-B53F-49A1-9EBA-A3F187AD502E}_445
2007-04-10 09:33:47 16384 --a-----t C:\WINDOWS\temp\Perflib_Perfdata_690.dat
2007-05-07 17:22:42 16384 --a-----t C:\WINDOWS\temp\Perflib_Perfdata_7d0.dat
2007-04-11 09:51:45 16384 --a-----t C:\WINDOWS\temp\Perflib_Perfdata_7e8.dat
2007-05-08 17:19:03 16384 --a-----t C:\WINDOWS\temp\Perflib_Perfdata_8b4.dat
2007-04-28 12:03:34 16384 --a-----t C:\WINDOWS\temp\Perflib_Perfdata_8b8.dat
2007-05-09 22:22:24 26112 --a------ C:\WINDOWS\temp\symlcsv1.exe <Not Verified; Symantec Corporation; Symantec Core Component>
2007-04-05 04:21:03 0 --a------ C:\WINDOWS\temp\T30DebugLogFile.txt
2007-05-09 22:22:15 255 --a------ C:\WINDOWS\temp\WGAErrLog.txt
2007-05-09 22:22:37 409 --a------ C:\WINDOWS\temp\WGANotify.settings
2002-07-25 18:13:12 196608 --a------ C:\WINDOWS\Downloaded Program Files\dwusplay.exe <Not Verified; InstallShield Software Corporation; InstallShield Update Service>
2006-08-24 08:28:54 141424 --a------ C:\WINDOWS\Downloaded Program Files\asinst.dll <Verified; Panda Software; ActiveScan>
2004-12-07 16:07:08 32 --a------ C:\WINDOWS\Downloaded Program Files\bdcore.dll
2005-03-01 14:08:48 118784 --a------ C:\WINDOWS\Downloaded Program Files\bdupd.dll
2005-09-08 19:20:54 778240 --a------ C:\WINDOWS\Downloaded Program Files\DiagCollectionControl.dll <Not Verified; Musicmatch, Inc.; Diagnostic Collection ActiveX control>
2004-10-26 16:23:18 191488 --a------ C:\WINDOWS\Downloaded Program Files\DigWebX2.dll <Not Verified; Microsoft Corporation; MSN Photos BatchEd Module>
2002-07-25 18:13:18 24576 --a------ C:\WINDOWS\Downloaded Program Files\dwusplay.dll <Not Verified; InstallShield Software Corporation; InstallShield Update Service>
2005-03-01 14:08:52 53248 --a------ C:\WINDOWS\Downloaded Program Files\ipsupd.dll
2005-06-10 10:44:02 417792 --a------ C:\WINDOWS\Downloaded Program Files\isusweb.dll <Not Verified; InstallShield Software Corporation; InstallShield Update Service>
2004-12-07 16:07:08 32 --a------ C:\WINDOWS\Downloaded Program Files\libfn.dll
2006-06-01 02:54:16 471040 --a------ C:\WINDOWS\Downloaded Program Files\oscan8.ocx <Not Verified; SOFTWIN; bdscanonline>
2006-05-31 04:15:16 10 --a------ C:\WINDOWS\Downloaded Program Files\oscan81.ocx_x

-*- End of Logfile -*-

[forhockey]

Quote:

first of all, the SONIC issue now started happening with my COREL PHOTOALBUM and the same message pops up. I think I should revert back to one of my System Restore points or sooner or later this will happen to all my programs. Should I do this and why is this happening?

Please do not revert back an old system restore point, as all the work we've done will be wasted. I've got a few options I want to tryout, and see if it will resolve your SONIC issue. There could be many possibilites behind the reason for your problems with Sonic... One may be that some essential files got moved or deleted. Also, a part of the program may have become corrupt.

Quote:

Second, in the panda scan, (included in next post) the first item is the smitfraud, however the second item's location was: C:\sUBs\TSF\nircmd.exe
Why is TSF in the name?

The ComboFix program created the folder TSF when it was run. Its a false positive by Panda, and there is nothing to worry about :)

Quote:

third, when i ran pandascan the first time, there was a virus that was detected and disinfected, however the computer was accidentally shut down so the report was never produced. The second time I ran pandascan I was able to complete it thoroughly so even though the virus won't appear in the log it was there and it was disinfected.

Panda provides a free online scan to the users. There are some things the scan will remove, and most of the time it will leave behind the infected files because they want you to purchase their product ;) In your case the file was disinfected from your system, and the panda log you provided appears to be listing false positives.

Quote:

fourth, the gap in my icon tray is still there and won't go away. sometimes a bubble appears over the tray with nothing in it.

I'm going to ask for a screenshot, so that I can see exactly what is going wrong. I'll provide instructions later on in my post on how to do this.

Lets get started!!!




Please save these instructions to Notepad as the internet will not be available to you at certain points of the removal process.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below.
Make sure to work through all the Steps in the exact order in which they are listed below.
If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

---------------------------------------------------------------------------------------------

Please capture a screenshot and attach it in your next reply.

In Windows a screenshot of the entire monitor, complete with taskbar, can be copied to the system clipboard by pressing the Print screen key (normally located in the top row on the right-hand side of the keyboard)..

You can then paste the clipboard into a program like MS Paint to save it as an image file or paste it directly into a document.

1. Press the Print screen key
2. Click the "Start" button (normally located in the bottom left of your screen).
3. Click "Run" & type "mspaint" (without quotes) & click the "OK" button.
4. Wait while the application "Paint" opens. Once it is open, proceed to the next step.
5. Click the "Edit" menu and select "Paste".
6. Click the "File" menu and select "Save As...". A dialog box will appear.
7. In the "File name" field, enter a name of your choice.
8. Click the "Save as type" drop-down and select "JPEG (*.JPG;*.JPEG;*.JPE*;.JFIF)".
9. Click the "Save" button.


Please attach the screenshots to your post. To attach a file to a new post, simply:

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page.
2. Click Browse, and navigate to the place where you saved the picture.
3. Click Upload.

---------------------------------------------------------------------------------------------

I have attached a file to this post - Silver.zip. Download this file to your desktop.

---------------------------------------------------------------------------------------------

Double click on the Silver.zip folder, then double click on Silver.bat . A black box shall open for a few seconds. Once it disappears you may continue onto the next set of instructions.

---------------------------------------------------------------------------------------------

Enter Safe Mode

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8
3. Instead of Windows loading as normal, a menu should appear
4. Use the up arrow key to highlight Safe Mode and press Enter.
5. Login with your usual account
6. Once you have logged in, a warning message will appear regarding starting windows in Safe mode, click OK and windows will load your desktop environment

Note: Some systems, this may be the F5 key, so try that if F8 doesn't work.

---------------------------------------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot into Normal Windows.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

---------------------------------------------------------------------------------------------

Restart your computer in Normal Mode

---------------------------------------------------------------------------------------------

Double-click on SmitfraudFix.exe to start the tool.
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

---------------------------------------------------------------------------------------------





Please download this tool > System Repair Engineer

1. Extract it to it's own folder & double click SREng.exe to run it
   
   
2. Select 'Smart Scan' & tick "Verify Digital Signatures"
   
   
3. Click on the [Scan] button
   
   
4. When finished, click on the [Save Reports] button & save the log to Desktop
   
   
5. Attach the log in your next reply. Dont post it

Note: You may have to rename SREngLog.log to SREngLog.txt before attaching


Please attach the SRengLog to your post. To attach a file to a new post, simply:

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page.
2. Click Browse, and navigate to the Desktop where you saved it.
3. Click Upload.

---------------------------------------------------------------------------------------------

How is SONIC behaving now?

---------------------------------------------------------------------------------------------

Please include the following in your next reply:

Screenshot -- Attach
C:\rapport.txt
SRengLog -- Attach
Update on SONIC?

[silversquire848]

One thing that I forgot to mention in my first post was that on the top of my mozilla firefox browser the two tabs that usually read "Getting Started" and "Latest Headlines" are no longer there. Since it was a minor issue I forgot to put it in but i just throught you'd like to know.

Anyway, the Sonic problem that occured when I started my computer no longer happens however, the actual SONIC CINEPLAYER program that I had doesn't work at all when I put in a dvd, so I don't really see any benefit gained.

As for the gap in my icon tray; it disappeared! It's no longer there, thanks to you. However, I will still include a screenshot (taken before i did any steps) attached to this post.

Also while running smitfruad, option number 2, the words, "Replace infected file?" never came up as you told me they would in your post, however the rapport log was still produced in the end. Just to make sure, however, I ran the smitfraud thing(option number2) again and still those words didn't come up. That's about it. here's all the stuff;


here's the rapport.txt file:


SmitFraudFix v2.181

Scan done at 12:53:30.89, Sun 05/13/07
Run from C:\Documents and Settings\smith\My Documents\Virus logs\May 2007\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{94CF50FD-37A8-4DF2-AB18-5CB620390F87}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{94CF50FD-37A8-4DF2-AB18-5CB620390F87}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{94CF50FD-37A8-4DF2-AB18-5CB620390F87}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End








The rest is attached

Thank you once again!

[forhockey]

Quote:

One thing that I forgot to mention in my first post was that on the top of my mozilla firefox browser the two tabs that usually read "Getting Started" and "Latest Headlines" are no longer there. Since it was a minor issue I forgot to put it in but i just throught you'd like to know.

Open up Firefox.

Go to the menu bar at the top and click View>Toolbars> and make sure Bookmarks Toolbar is checked.

---------------------------------------------------------------------------------------------

Quote:

Anyway, the Sonic problem that occured when I started my computer no longer happens however, the actual SONIC CINEPLAYER program that I had doesn't work at all when I put in a dvd, so I don't really see any benefit gained.

When did you notice Sonic Cineplayer stopped playing DVD's? Did you notice it after the online scan at Panda?

---------------------------------------------------------------------------------------------

Quote:

Also while running smitfruad, option number 2, the words, "Replace infected file?" never came up as you told me they would in your post, however the rapport log was still produced in the end. Just to make sure, however, I ran the smitfraud thing(option number2) again and still those words didn't come up. That's about it. here's all the stuff;

Sorry the instructions weren't clearer. The tool was checking if wininet.dll is infected--it was not, so you were not prompted to replace it which is great news!!!

---------------------------------------------------------------------------------------------

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

LiveUpdate 2.6 (Symantec Corporation)

[silversquire848]

Hi

first for the firefox toolbar issue, the Bookmarks Toolbar had always been checked and I had never unchecked it, however, the two tabs just disppeared. It's not that big of an issue for me, however, it still subconsciously makes me think that there still might be something on my computer. I included a screenshot, but it's okay if you can't figure out what's wrong.

second I noticed the Sonic cineplayer wasn't playing dvd's at some point before I even told you about the issue of the popup messages when I started my computer but i'm not sure whether I noticed it wasn't playing dvd's before I conducted the panda scan. However I'm positive that it still doesn't play dvd's as I just checked before posting this reply. Sorry I couldn't be of more help, but I can't seem to remember.
Another note about SONIC. It detects the dvd in the optical drive, and even ejects if I click "Eject" but it refuses to run the dvd on the program.

third, when I went to uninstall Live Update 2.6, the computer displayed a message saying that I still had Symantec components or programs still installed and that I should only uninstall this live update if all of these other Symantec programs like GHOST have been uninstalled first. So should I still remove the program regardless? Also I'm a little confused about the Ghost program. It came with my computer but i no longer have a subscription for it, however, doesn't it work in the same way that System Restore works on my computer so what's the point?


I realize that you must be busy with your own life, however, I greatly appreciate you making time to help me. Thanks again!

[silversquire848]

My firefox browser keeps getting weirder everyday. Now my Firefox Start page look different. I went to other sites to see if they had changed it but evidently not. On the Google-based FIREFOX START PAGE, you're supposed to have the "Images", "Groups", "News", and "Maps" hyperlinks over the top of the search bar which always used to appear. Now, however they don't appear at all. I have taken yet another screenshot to show you my FIREFOX START PAGE. It is attached. You can even compare it to my previous screenshot in the last post to see the difference. I hope you can tell me what's wrong.

Thanks in advance.

[forhockey]

Your remaining issues do not appear to be malware related.

You would be better served discussing your firefox issues in the Mozilla/Firefox section of this forum.

For Sonic Cineplayer, I would try re-installing the program to see if that fixes any of your problem. If your still unsuccessful with playing DVD's, then try asking in the Windows XP section of this forum, or contact Sonic Support for assistance.

We are going to leave Live Update 2.6 on your computer, so please disregard my earlier instructions to remove it from your computer.

Again, you should try the Windows XP section for your question about System Restore vs Norton Ghost. Here are some articles I found which might answer some questions:

Norton Ghost: http://www.symantec.com/home_homeoff...r&pvid=ghost10
System Restore: http://www.microsoft.com/technet/pro.../faqsrwxp.mspx

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Please remember to close all other windows, including browsers then click Fix checked.

---------------------------------------------------------------------------------------------

Well done, your logs are clean! There are just a few more things I would like you to do.

Reset System Restore

To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

Clear Firefox Cookies

• Click Tools -> Options
• Click Privacy Tab
• Click the "Show Cookies" button
• Click the "Remove All Cookies" button, which is at the bottom of the window.
• Click Close

Clear IE7 cookies

• On the Internet Explorer 6 Tools menu, click Internet Options. The Internet Options box should open to the General tab.
• Double-click Internet Options to open Internet Properties.
• Click Delete Files button.
• Click Delete button across from Temporary Internet Files.
• Click Yes.
• Click Close.
• Click Ok.

Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

• SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
• IE-Spyad - Extract to your desktop and double-click install.bat. Install options #2 and #4. IE-Spyad places more than 4,000 dubious domains in the IE Restricted list, which impairs attempts to infect your system. It prevents any downloads from the sites although you will still be able to connect to them. You can read more about it on it's homepage.
• MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
• McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
• SpywareGuard - real-time protection that detects and blocks spyware before it can execute.

Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

• Firefox
• Opera

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls

• Comodo Personal Firewall
• ZoneAlarm
• OutPost Firewall

Informational Reading

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

• PC SAFETY AND SECURITY
• How Did I Get Infected In The First Place?.
• THE ANTI-SPYWARE TUTORIAL
• STRONG PASSWORDS

Please respond to this thread one more time so we can mark this thread as resolved.

[silversquire848]

Thank you for helping me, forhockey. I really appreciate it. yes you can go ahead and mark this thread as resolved.

[forhockey]

You're welcome. Hopefully other people will know more about your remaining issues than me .