A mess with ads and popups

[Alexlonebear]

I have been having a problem for at least a week.
Popups, especially suspicious security programs.
I've run Ad Aware, Registry Smart and PC tools
I ran SpyNoMore and it said I got rid of everything but Vundo
Supposedly got rid of it with VundoFix (I think that's the name.)
I'm still getting ads but at least none from security programs.
I've downloaded the newest version of HiJack this.
The following is the Log file
HELP!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:17 PM, on 12/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4574ECBE-7799-48C7-A514-C499EAB88AD8} - C:\WINDOWS\system32\sstqp.dll (file missing)
O2 - BHO: (no name) - {4F42E612-4210-4896-BEEF-D2E484659561} - (no file)
O2 - BHO: (no name) - {50A3D411-02D2-4AA8-9EF8-953C513AF631} - (no file)
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Opera\rteme.html

--
End of file - 3453 bytes

[TheBruce1]

Hello and welcome to TSF


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

===============================================================

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

======================================================
Logs Required
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt<----Attached

[Alexlonebear]

OK, here it goes.

Deckard's System Scanner v20071014.68
Run by Hank on 2007-12-03 17:47:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
89: 2007-12-03 22:47:59 UTC - RP1413 - Deckard's System Scanner Restore Point
88: 2007-12-03 15:02:21 UTC - RP1412 - System Checkpoint
87: 2007-12-02 14:57:32 UTC - RP1411 - Last known good configuration
86: 2007-12-02 04:26:14 UTC - RP1410 - Last known good configuration
85: 2007-12-02 04:15:06 UTC - RP1409 - Last known good configuration


-- First Restore Point --
1: 2007-09-20 15:15:44 UTC - RP1325 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Hank.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:36 PM, on 12/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\explorer.exe
C:\Palm\HOTSYNC.EXE
C:\Documents and Settings\Hank\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Hank.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4574ECBE-7799-48C7-A514-C499EAB88AD8} - C:\WINDOWS\system32\sstqp.dll (file missing)
O2 - BHO: (no name) - {4F42E612-4210-4896-BEEF-D2E484659561} - (no file)
O2 - BHO: (no name) - {50A3D411-02D2-4AA8-9EF8-953C513AF631} - (no file)
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Opera\rteme.html

--
End of file - 3472 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>
R0 TPkd - c:\windows\system32\drivers\tpkd.sys <Not Verified; PACE Anti-Piracy, Inc.; InterLok(R)>
R1 core - c:\windows\system32\drivers\core.sys
R1 PQNTDrv - c:\windows\system32\drivers\pqntdrv.sys <Not Verified; PowerQuest Corporation; PowerQuest product>
R1 UBHelper - c:\windows\system32\drivers\ubhelper.sys
R2 AVFilter - c:\windows\system32\drivers\avfilter.sys <Not Verified; PC Tools Research Pty Ltd; AVFilter Device Driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path Manager® (32-bit)>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; Pinnacle Systems GmbH; asapi>
R3 AVHook - c:\windows\system32\drivers\avhook.sys <Not Verified; PC Tools Research Pty Ltd.; PC Tools AntiVirus>
R3 AVRec - c:\windows\system32\drivers\avrec.sys <Not Verified; PC Tools Research Pty Ltd; PC Tools AntiVirus>
R3 NTIDrvr (Upper Class Filter Driver) - c:\windows\system32\drivers\ntidrvr.sys <Not Verified; NewTech Infosystems, Inc.; >
R3 pfc (PADUS ASPI SHELL) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
R3 SQTECH930B (Motion Track Webcam) - c:\windows\system32\drivers\capt930b.sys

S1 AEC671X - c:\windows\system32\drivers\aec671x.sys <Not Verified; Acard Technology Corp.; Acard® AEC-671X PCI Ultra/W SCSC-3 Controller>
S1 DMX3191 - c:\windows\system32\drivers\dmx3191.sys <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
S2 UDNT - c:\windows\system32\drivers\udnt.sys
S3 Eplpdx02 - c:\windows\system32\drivers\eplpdx02.sys <Not Verified; MK Systems CO., LTD.; MK Systems LPT I/O Driver for Windows2000>
S3 nuvaud2 (Pinnacle LINX 2 Audio) - c:\windows\system32\drivers\nuvaud2.sys <Not Verified; Zoran Ltd.; USBVision>
S3 NUVision (Pinnacle LINX) - c:\windows\system32\drivers\nuvision.sys <Not Verified; Nogatech Ltd.; USBVision>
S3 nuvvid2 (Pinnacle LINX 2 Video) - c:\windows\system32\drivers\nuvvid2.sys <Not Verified; Zoran Ltd.; USBVision>
S3 SQTECH9080 (MegaCam(PID_9080_00)) - c:\windows\system32\drivers\capt9080.sys <Not Verified; Service & Quality Technology.; SQ908>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 EPSONStatusAgent2 (EPSON Printer Status Agent2) - c:\program files\common files\epson\ebapi\sagent2.exe <Not Verified; SEIKO EPSON CORPORATION; EPSON Bidirectional Printer>

S? Sfloscont -
S4 Iomega Activity Disk2 - ""
S4 Iomega App Services - "c:\progra~1\iomega\system32\appservices.exe" <Not Verified; Iomega Corporation; Iomega App Services>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Pinnacle LINX
Device ID: ROOT\MEDIA\0000
Manufacturer: Pinnacle Systems
Name: Pinnacle LINX
PNP Device ID: ROOT\MEDIA\0000
Service: NUVision

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Pinnacle LINX 2 Video
Device ID: ROOT\MEDIA\0001
Manufacturer: Pinnacle Systems
Name: Pinnacle LINX 2 Video
PNP Device ID: ROOT\MEDIA\0001
Service: nuvvid2

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}
Description: Pinnacle LINX 2 Audio
Device ID: ROOT\MEDIA\0002
Manufacturer: Pinnacle Systems
Name: Pinnacle LINX 2 Audio
PNP Device ID: ROOT\MEDIA\0002
Service: nuvaud2


-- Scheduled Tasks -------------------------------------------------------------

2007-12-03 03:00:01 494 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job


-- Files created between 2007-11-03 and 2007-12-03 -----------------------------

2007-12-02 14:00:02 0 d-------- C:\Program Files\Trend Micro
2007-12-02 12:56:17 0 d-------- C:\VundoFix Backups
2007-12-02 00:22:01 1152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-02 00:21:22 0 d-------- C:\Program Files\SpyNoMore
2007-12-02 00:20:42 0 d-------- C:\Program Files\Common Files\Download Manager
2007-12-01 21:49:33 0 d-------- C:\Documents and Settings\Hank\Application Data\AdwareAlert
2007-12-01 21:49:28 0 d-------- C:\Program Files\AdwareAlert
2007-12-01 13:57:45 78400 --a------ C:\WINDOWS\system32\hpnftbua.dll
2007-12-01 13:55:37 85056 --a------ C:\WINDOWS\system32\hblcddcb.dll
2007-12-01 13:55:32 71232 --a------ C:\WINDOWS\system32\uujofwtx.exe <Not Verified; ; DDC>
2007-11-20 12:05:33 84544 --a------ C:\WINDOWS\system32\wrycgywn.dll
2007-11-19 17:31:47 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-11-19 17:30:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2007-11-19 17:28:57 0 d-------- C:\Program Files\E404 Helper
2007-11-19 17:23:55 0 d-------- C:\WINDOWS\system32\fibagbia
2007-11-19 17:23:53 114688 --a------ C:\Documents and Settings\All Users\Application Data\xcrkrubg.dll
2007-11-19 17:23:50 0 d-------- C:\Program Files\Tfbbwtah
2007-11-19 17:23:27 37376 --a------ C:\WINDOWS\system32\opnmkjj.dll
2007-11-19 17:23:26 1147424 --a------ C:\Install
2007-11-19 17:23:22 0 d-------- C:\Program Files\rcxcdsxg
2007-11-19 17:22:54 0 d-------- C:\Documents and Settings\Hank\Application Data\SpyGuardPro
2007-11-19 1750 2 --a------ C:\WINDOWS\system32\wapiiit.exe
2007-11-19 1731 41723 ---hs---- C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
2007-11-19 1729 0 d-------- C:\Program Files\?ppPatch
2007-11-19 17:05:38 0 d-------- C:\Documents and Settings\LocalService\Application Data\NetMon
2007-11-19 17:05:35 0 d--hs---- C:\WINDOWS\SGFuaw
2007-11-19 17:05:31 80640 -----n--- C:\WINDOWS\system32\drivers\core.sys
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\n8
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\i2
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\g2
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\e1
2007-11-19 17:05:29 0 d-------- C:\WINDOWS\system32\a1
2007-11-19 17:05:25 0 d-------- C:\WINDOWS\system32\rMa02yy


-- Find3M Report ---------------------------------------------------------------

2007-12-02 16:58:35 0 d-------- C:\Documents and Settings\Hank\Application Data\Adobe
2007-12-02 00:53:12 0 d-------- C:\Program Files\Common Files
2007-12-01 15:34:08 0 d-------- C:\Program Files\Opera
2007-12-01 13:53:59 0 d-------- C:\Program Files\PC Tools AntiVirus
2007-11-19 1730 0 d-------- C:\Program Files\?ppPatch
2007-10-14 22:10:29 139432 --a------ C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2007-09-21 14:21:14 146432 ---hs---- C:\Program Files\Common Files\Yazzle1549OinAdmin.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4574ECBE-7799-48C7-A514-C499EAB88AD8}]
C:\WINDOWS\system32\sstqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F42E612-4210-4896-BEEF-D2E484659561}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50A3D411-02D2-4AA8-9EF8-953C513AF631}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [12/17/2003 08:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [05/20/2005 01:46 PM C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [12/02/2007 12:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [5/29/2006 12:41:29 PM]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [6/9/2004 2:27:34 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=1 (0x1)
"ForceActiveDesktopOn"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\Opera\rteme.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [08/17/2006 02:57 PM 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineak32]
wineak32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstqp.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.0.8.lnk]
backup=C:\WINDOWS\pss\LimeWire 4.0.8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PhotoCAL Startup.lnk]
backup=C:\WINDOWS\pss\PhotoCAL Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^Virtual Bouncer.lnk]
backup=C:\WINDOWS\pss\Virtual Bouncer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Open Site]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyKiller]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Macromedia Licensing Service"=3 (0x3)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53de9c33-01c0-11dc-8070-0040ca587ccf}]
AutoRun\command- G:\system\viewer\FlipVideoforPC.exe
Flip Video for PC\command- G:\system\viewer\FlipVideoforPC.exe




-- End of Deckard's System Scanner: finished at 2007-12-03 18:00:25 ------------

[TheBruce1]

Hello again

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean the infection is gone.

======================================================

From your log it would appear that you are running two antivirus products,namely Symantec/Norton and PC Tools AntiVirus.I do not see Symantec/Norton entries in your add/remove and i would guess you uninstalled it previously.

To remove those Symantec/Norton files that are still present,please download and run the Norton Removal Tool

=====================================================

P2P

P2P - I see you have P2P software BitTorrent 4.0.4,LimeWire installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

====================================================

Download ComboFix from Here or here

**Save it to your desktop**Do not run just yet,we will shortly

====================================================

Disconnect from the internet

====================================================




Go to → Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=====================================================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=======================================================
Logs Required
C:\Combofix.txt
Hijackthis log

[Alexlonebear]

Thanks for the help.
I went to the site to find the Norton removal tool.
It asks what version of Norton I have.
I really have no idea and since only a couple of lone
files remain It's hard to tell.
I did find two files, there are four altogether that I could find,
that by looking at Properties, they indicate they are from
version 11.6.8.1 but I'm not sure
how that relates to it being Norton 2000, 2004 etc.
The only software I can find in my collection is Norton2000.
It would seem that I used something later as I have had
this computer for about 3 or 4 years.
It might of even come with the computer.
As for BitTorrent, etc, I downloaded them but as you can see
I am "computer challenged". I knew what they did
but I never figured out how to use them.
As far as I am concerned I don't mind getting rid of all of
the P2P software
(I had to look up the term, as I've heard it, but never knew
what it referred too. Learn something every day)
Anyway, let me know if you can tell what Norton stuff
I have on here or do you a way I can tell.
Or is Norton just trying to be difficult.
They sure made it hard to find the download.

Thanks again
Hank

[TheBruce1]

Hi Hank
We`ll remove those Norton entries later on,as for know just continue with the rest of the instructions,thanks.

[Alexlonebear]

Hi Bruce,
All done.
I will put the log in the body of this post.
I have also Combofix to Word.
It said the file would be in a file called
C:\combofix.txt but no such file exists.
I hope the way I did it is OK.
One other thing.
I have Internet explorer on my computer
but I mainly have used Mozilla.
It seems to be gone and more importantly
all my Bookmarks for it.
Now it may be somewhere
I came directly here so I didn't look.
Just wanted to mention this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:18 AM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyNoMore\SNM.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4574ECBE-7799-48C7-A514-C499EAB88AD8} - C:\WINDOWS\system32\sstqp.dll (file missing)
O2 - BHO: (no name) - {4F42E612-4210-4896-BEEF-D2E484659561} - (no file)
O2 - BHO: (no name) - {50A3D411-02D2-4AA8-9EF8-953C513AF631} - (no file)
O2 - BHO: Browser protection - {FB9FFB4B-9680-4256-8178-5ECDB2C19B23} - C:\PROGRA~1\SPYNOM~1\SNMIEG~1.DLL
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 3395 bytes

-------------------------------------------------------

ComboFix 07-12-02.7 - Hank 2007-12-04 9:40:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.648 [GMT -5:00]
Running from: C:\Documents and Settings\Hank\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\xcrkrubg.dll
C:\Documents and Settings\Hank\Application Data\privprotect.exe
C:\Documents and Settings\Hank\err.log
C:\Documents and Settings\Hank\My Documents\SEMBLY~1
C:\Documents and Settings\Hank\My Documents\SEMBLY~1\?vchost.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\folder.js\
C:\Program Files\Opera\rteme.html
C:\Program Files\pppatc~1
C:\Program Files\pppatc~1\?ppPatch\
C:\Program Files\pppatc~1\wucrtupd.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\temp\tn3
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\bcddclbh.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\e1
C:\WINDOWS\system32\fibagbia
C:\WINDOWS\system32\fibagbia\bg1.gif
C:\WINDOWS\system32\fibagbia\bgtop.gif
C:\WINDOWS\system32\fibagbia\bottom1.gif
C:\WINDOWS\system32\fibagbia\essentials.gif
C:\WINDOWS\system32\fibagbia\fibagbia1.exe
C:\WINDOWS\system32\fibagbia\fibagbia2.exe
C:\WINDOWS\system32\fibagbia\fibagbia3.exe
C:\WINDOWS\system32\fibagbia\icon1.ico
C:\WINDOWS\system32\fibagbia\install1.gif
C:\WINDOWS\system32\fibagbia\left1.gif
C:\WINDOWS\system32\fibagbia\li.gif
C:\WINDOWS\system32\fibagbia\logo.gif
C:\WINDOWS\system32\fibagbia\main.htm
C:\WINDOWS\system32\fibagbia\mainframe.htm
C:\WINDOWS\system32\fibagbia\reinstall1.gif
C:\WINDOWS\system32\fibagbia\right1.gif
C:\WINDOWS\system32\fibagbia\s1.htm
C:\WINDOWS\system32\fibagbia\s2.htm
C:\WINDOWS\system32\fibagbia\s3.htm
C:\WINDOWS\system32\fibagbia\SMTop1.gif
C:\WINDOWS\system32\fibagbia\SMTop2.gif
C:\WINDOWS\system32\fibagbia\SMTop3.gif
C:\WINDOWS\system32\fibagbia\SMTop4.gif
C:\WINDOWS\system32\fibagbia\soft1_off.gif
C:\WINDOWS\system32\fibagbia\soft1_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft1_on.gif
C:\WINDOWS\system32\fibagbia\soft1_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_off.gif
C:\WINDOWS\system32\fibagbia\soft2_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft2_on.gif
C:\WINDOWS\system32\fibagbia\soft2_on_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_off.gif
C:\WINDOWS\system32\fibagbia\soft3_off_ext.gif
C:\WINDOWS\system32\fibagbia\soft3_on.gif
C:\WINDOWS\system32\fibagbia\soft3_on_ext.gif
C:\WINDOWS\system32\fibagbia\softbottom_off.gif
C:\WINDOWS\system32\fibagbia\softbottom_on.gif
C:\WINDOWS\system32\fibagbia\softleft_off.gif
C:\WINDOWS\system32\fibagbia\softleft_on.gif
C:\WINDOWS\system32\fibagbia\top1.gif
C:\WINDOWS\system32\fibagbia\top2.gif
C:\WINDOWS\system32\fibagbia\turnoff1.gif
C:\WINDOWS\system32\fibagbia\turnon1.gif
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\bemwdll3.exe
C:\WINDOWS\system32\hblcddcb.dll
C:\WINDOWS\system32\hpnftbua.dll
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\n8\ensts2dll.exe
C:\WINDOWS\system32\opnmkjj.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\rMa02yy\rMa02yy1099.exe
C:\WINDOWS\system32\uujofwtx.exe
C:\WINDOWS\system32\wapiiit.exe
C:\WINDOWS\system32\wrycgywn.dll
C:\WINDOWS\system32\xlibgfl254.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_FMTR
-------\LEGACY_NETWORK_MONITOR
-------\core


((((((((((((((((((((((((( Files Created from 2007-11-04 to 2007-12-04 )))))))))))))))))))))))))))))))
.

2007-12-03 17:47 . 2007-12-03 17:47 <DIR> d-------- C:\Deckard
2007-12-02 14:00 . 2007-12-02 14:00 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-02 12:56 . 2007-12-02 12:56 <DIR> d-------- C:\VundoFix Backups
2007-12-02 00:22 . 2007-12-02 00:22 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-12-02 00:21 . 2007-12-02 09:35 <DIR> d-------- C:\Program Files\SpyNoMore
2007-12-02 00:20 . 2007-12-02 00:20 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-01 21:49 . 2007-12-01 21:49 <DIR> d-------- C:\Program Files\AdwareAlert
2007-12-01 21:49 . 2007-12-01 22:11 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\AdwareAlert
2007-11-20 12:04 . 2007-12-01 13:55 793,724 ---hs---- C:\WINDOWS\system32\uuuxpqva.ini
2007-11-20 11:20 . 2007-12-02 10:17 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-19 17:28 . 2007-11-19 17:28 <DIR> d-------- C:\Program Files\E404 Helper
2007-11-19 17:23 . 2007-11-19 17:23 <DIR> d-------- C:\Program Files\Tfbbwtah
2007-11-19 17:23 . 2007-11-19 17:23 <DIR> d-------- C:\Program Files\rcxcdsxg
2007-11-19 17:23 . 2007-11-19 17:23 1,147,424 --a------ C:\Install
2007-11-19 17:22 . 2007-11-19 17:24 <DIR> d-------- C:\Documents and Settings\Hank\Application Data\SpyGuardPro
2007-11-19 17:05 . 2007-11-19 17:45 <DIR> d--hs---- C:\WINDOWS\SGFuaw
2007-11-18 20:35 . 2007-11-18 20:35 <DIR> d-------- C:\Temp\PALM
2007-11-18 20:35 . 2007-11-18 20:35 <DIR> d-------- C:\Temp\2577

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-04 14:47 --------- d-----w C:\Program Files\Opera
2007-12-01 18:53 --------- d-----w C:\Program Files\PC Tools AntiVirus
2007-10-15 03:10 139,432 ----a-w C:\Documents and Settings\Hank\Application Data\GDIPFONTCACHEV1.DAT
2007-06-14 09:22 2,231 ----a-w C:\Program Files\folder.js
2006-06-12 20:52 5,187 ----a-w C:\Documents and Settings\Incomplete\downloads.dat
2006-03-17 08:16 22 ----a-w C:\Documents and Settings\Music Downloads\nik Color Efex Pro 2.0 (Photoshop Plug.zip
2006-03-16 03:04 0 ----a-w C:\Documents and Settings\Incomplete\T-15872-nik color efex.exe
2006-02-03 17:21 2,255 ----a-w C:\Documents and Settings\Music Downloads\teps.zip
2005-12-12 03:00 4,126,240 ----a-w C:\Documents and Settings\Music Downloads\picasa2-current.exe
2005-12-12 03:00 3,707,944 ----a-w C:\Documents and Settings\Music Downloads\picasa-google-free.exe
2005-12-12 02:55 22 ----a-w C:\Documents and Settings\Music Downloads\Picasa 2.1.0.zip
2004-02-02 21:40 560 ----a-w C:\Documents and Settings\Hank\PCDOC.BAT
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\SGFuaw\asappsrv.dll
2005-07-29 21:24 472 --sha-r C:\WINDOWS\SGFuaw\m3IRuT.vbs
2005-07-14 19:31 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4574ECBE-7799-48C7-A514-C499EAB88AD8}]
C:\WINDOWS\system32\sstqp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F42E612-4210-4896-BEEF-D2E484659561}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50A3D411-02D2-4AA8-9EF8-953C513AF631}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 C:\WINDOWS\LOGI_MWX.EXE]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 13:46 C:\WINDOWS\KHALMNPR.Exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"SNM"="C:\Program Files\SpyNoMore\SNM.exe" [2007-12-02 00:22]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" []
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2005-12-13 15:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-05-29 12:41:29]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:27:34]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2006-08-17 14:57 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineak32]
wineak32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LimeWire 4.0.8.lnk]
backup=C:\WINDOWS\pss\LimeWire 4.0.8.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PhotoCAL Startup.lnk]
backup=C:\WINDOWS\pss\PhotoCAL Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
backup=C:\WINDOWS\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^PowerReg SchedulerV2.exe]
backup=C:\WINDOWS\pss\PowerReg SchedulerV2.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^Virtual Bouncer.lnk]
backup=C:\WINDOWS\pss\Virtual Bouncer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiware]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Open Site]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyKiller]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Macromedia Licensing Service"=3 (0x3)

R1 UBHelper;UBHelper;C:\WINDOWS\system32\drivers\UBHelper.sys
R3 SQTECH930B;Motion Track Webcam;C:\WINDOWS\system32\Drivers\Capt930b.sys
S1 AEC671X;AEC671X;C:\WINDOWS\system32\drivers\AEC671X.SYS
S1 DMX3191;DMX3191;C:\WINDOWS\system32\drivers\DMX3191.SYS
S2 UDNT;UDNT;C:\WINDOWS\system32\drivers\UDNT.sys
S3 cvspydr2;ColorVision Spyder 2;C:\WINDOWS\system32\DRIVERS\cvspydr2.sys
S3 EPUSBSTOR;EPSON USB Storage Driver;C:\WINDOWS\system32\DRIVERS\epusbsto.sys
S3 NUVision;Pinnacle LINX;C:\WINDOWS\system32\DRIVERS\NUVision.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{53de9c33-01c0-11dc-8070-0040ca587ccf}]
\Shell\AutoRun\command - G:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - G:\system\viewer\FlipVideoforPC.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-12-04 08:00:01 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 09:58:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-04 10:01:03 - machine was rebooted
.
--- E O F ---

[TheBruce1]

Hello again Alex

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.

======================================================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs :

AdwareAlert 1.9.0 AdwareAlert was listed on this page because of concerns with false positives and the lack of information about the company and its privacy practices. In late fall of 2005, a new version of AdwareAlert was released, followed by new definitions. Testing with this new version indicates that the problems with earlier versions have been satisfactorily resolved. Thus, we can no longer consider AdwareAlert to be "rogue/suspect" anti-spyware.
http://www.spywarewarrior.com/rogue_...adw-alert_note

========================================================

Reg Fix

Go to Start->Run and type in regedit and hit OK.Go to HKEY_LOCAL_MACHINE and click on it>then right-click on HKEY_LOCAL_MACHINE and select export.
Save the registry somewhere as a backup. Close the Registry Editor now.

Open notepad and copy/paste the text in the quotebox below:
(don't forget to copy and paste REGEDIT4)

Quote:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=-

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Save the file as "Fix.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the Fix.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

=====================================================

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

KillAll::

File::
C:\WINDOWS\system32\uuuxpqva.ini
C:\WINDOWS\system32\mcrh.tmp
C:\Install
C:\Program Files\folder.js
C:\Documents and Settings\Incomplete\downloads.dat
C:\Documents and Settings\Incomplete\T-15872-nik color efex.exe
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job

Folder::
C:\VundoFix Backups
C:\Program Files\AdwareAlert
C:\Documents and Settings\Hank\Application Data\AdwareAlert
C:\Program Files\E404 Helper
C:\Program Files\Tfbbwtah
C:\Program Files\rcxcdsxg
C:\Documents and Settings\Hank\Application Data\SpyGuardPro
C:\WINDOWS\SGFuaw

DirLook::
C:\Temp\PALM
C:\Temp\2577

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4574ECBE-7799-48C7-A514-C499EAB88AD8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F42E612-4210-4896-BEEF-D2E484659561}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50A3D411-02D2-4AA8-9EF8-953C513AF631}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineak32]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hank^Start Menu^Programs^Startup^Virtual Bouncer.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\antiware]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Open Site]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopUpStopperFreeEdition]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyKiller]

Save this as CFscript




Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

====================================================

Clear IE6 cookies

*Open IE and click Tools
*Click on Internet Options
*Click on General Tab
*Click on Delte Temp Files & Cookies buttons.

====================================================

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report into your next reply.

====================================================

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

=======================================================
Logs Required
C:\Combofix.txt
Panda scan report
Hijackthis log

An update on how your system is behaving,thanks.

[Alexlonebear]

Hey Bruce,
Notepad evidentally no longer exists on my computer.
The only sign of it is two shortcuts that say
they can't find the files that are associated wih them.
Can I use Wordpad, it does seem to still exist.
Hank

[TheBruce1]

Hi Alex

Please do not use Wordpad,have you tried to open notepad this way?

To open Notepad, click Start, point to All Programs, point to Accessories, and then click Notepad.

[Alexlonebear]

That is what I did and I get this message in a box.

"Windows is searching for Notepad.exe.
To locate the file yourself, click browse."

After a short while I get another message saying the shortcut is invalid and asking what I want done with it.

[TheBruce1]

I have attached a zip file to this post.Download and extract to your desktop and,it should look like this double-click on notepad.bat

It should produce a log for you,post that in your next reply.

[TheBruce1]

There is a problem with the last bat file,download and extract the one attached to this post instead.

If you have already downloaded and extracted the last one,please delete that one.

[tetonbob]

Hi Alexlonebear -

It occurred to me that the previous batch file may not work as we want it to since you're having troubles with notepad.

Since TheBruce1 is in a different time zone, I thought I'd pop in.

If it does not, use the one attached to this post.

[Alexlonebear]

Thanks for dropping in. I appreciate any assistance.
It's nice I have 2 people looking out for my problem.
Which ever one of you wants to answer this go ahead.
I'm not sure who's got dibs on me, or
would like to get rid of me.
As you may have seen in an earlier post
I am computer challenged.
I've extrated the file TheBruce1 sent me and unzipped it.
I got a window with a DOS screen ending with a
notebook log.txt command line.
A few minutes later I got a window with the following log on it.

----a-w 69,120 2004-08-04 07:56:54 C:\WINDOWS\notepad.exe
-c----w 66,048 2002-08-29 12:00:00 C:\WINDOWS\$NtServicePackUninstall$\notepad.exe
------w 69,120 2004-08-04 07:56:54 C:\WINDOWS\ServicePackFiles\i386\notepad.exe

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 204,288 Blocks: 399


Was this what I supposed to get and what do I do with it now?
Are we looking for notepad now or working on the original problem?
Just to let you know I'm missing a lot of other things
including Firefox and all the "smiles" that are supposed to be on the "Reply to Thread" page.

I'm in Atlanta Georgia and it's about midnight so I'm going to bed now. I hope when I wake up I'll have some emails to help me.

And by the way, Thank you both very much!!!

[tetonbob]

Well, it seems notepad is present on your machine, so you should be able to run it, and use TheBruce1's instructions to run ComboFix with a script.

TheBruce1 will be continuing with his assistance.

Your shortcuts to notepad may be invalid at this point.

To open notepad, go to Start > Run, and copy/paste the following, then press Enter:

C:\WINDOWS\notepad.exe

A blank notepad file should open. You can then copy/paste TheBruce1's script from post #8 into it, and follow his instructions.

[Alexlonebear]

Panda is running now but I have a quick question.
You had me delete all the cookies and temp files from IE.
I use Firefox mainly, which had disappeared but I think has reappeared.
Should I delete the cookies and temp files from that also.

[TheBruce1]

Many thanks to tetonbob for helping out.

Yes,delete your cookies/cache from firefox.

Clear Firefox cookies/cache

• Select "Tools"
• Select "Options".
• Select "Privacy".
• In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want.
• Click OK.
• In Private area click "Clear Now".

[Alexlonebear]

It seems like I'm having a problem with sending Activescan, it very long. There is no button for "Manage Attachments" so I can't figure out how to attach it. I pasted it into a post just a little bit ago and the one with the other logs. It didn't sem to work for either of those. Let me know please.
Hank

[TheBruce1]

How big is the Panda scan log there is a limit of 1.96MB.Try to attach it again,if no luck post the logs.If you have the same trouble let me know.