"WhenU" Malware - please help me![moved from xp]

[lennonforever]

Hello, I was sent to this site by a very nice person on the IMdB board. I have WinXP and have Verizon high-speed, which isn't really that great, cause I lose the signal all the time in windy weather, fog, rain, you name it.

I am not computer savvy , but know a very little bit. The last time I 'fiddled' around with deleting things, I made a complete mess, cause I hit the "System Restore" choice. My husband was angry and was on the phone with HP tech for hours trying to rectify what I had done. I am very scared to do something like this again!

I cannot delete "WhenUSave". It is terribly intrusive.I am losing my mind! My computer is running very slowly. I have up-to-date
Norton anti-virus, but it does nothing about this program!

I have been to your thread concerning this, as you direct , but cannot link to the list of other malware programs from that post. (2005 post)

I have deleted Bear Share, a peer sharing program , which is supposed to delete When USave. It hasn't.

I have deleted this from my Windows Add/Remove program list numerous times! It keeps appearing on that list. I get a message saying that 'it may have been uninstalled, do you want to remove from this list' and of course I always say 'yes'.

Afte researching this malware, I had no idea how insidious these types of programs are.

Please can you help me?

[dai]

follow the 5 steps here
http://www.techsupportforum.com/showthread.php?t=15968

[lennonforever]

I hope I did all these steps correctly. I am very scared I did something incorrect. Thank you all so very much. Isn't there something else I have to send you too?



Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-17 19:29:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 5 Restore Point(s) --
60: 2006-04-07 23:49:55 UTC - RP433 - System Checkpoint
59: 2006-04-06 23:41:41 UTC - RP432 - System Checkpoint
58: 2006-04-05 23:20:57 UTC - RP431 - System Checkpoint
57: 2006-04-02 19:50:20 UTC - RP430 - System Checkpoint
56: 2006-04-01 12:41:42 UTC - RP429 - System Checkpoint


-- First Restore Point --
1: 2006-01-12 01:08:00 UTC - RP374 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-17 19:36:13
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\hp\KBD\kbd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SA8PCP5N\dss[1].exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzstc08.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpzeng08.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\hp\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - Startup: My Little Pony Registration.lnk = E:\ATR1.EXE
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...SL/tgctlcm.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/securit...?1144815946546
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...tent/opuc3.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145818117640
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\omniServ.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - Unknown owner - C:\WINDOWS\system32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


--
End of file - 11352 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 drvmcdb - c:\windows\system32\drivers\drvmcdb.sys <Not Verified; VERITAS Software, Inc.; >
R0 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>
R3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>

S3 ATWPKT2 - c:\program files\america online 8.0\atwpkt2.sys (file missing)
S3 MREMPR5 (MREMPR5 NDIS Protocol Driver) - c:\program files\common files\motive\mrempr5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 MRENDIS5 (MRENDIS5 NDIS Protocol Driver) - c:\program files\common files\motive\mrendis5.sys <Not Verified; Motive, Inc.; Motive Rawether for Windows>
S3 PCDRDRV (Pcdr Helper Driver) - c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys (file missing)
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Standard 56000 bps Modem
Device ID: ROOT\MODEM\0001
Manufacturer: (Standard Modem Types)
Name: Standard 56000 bps Modem
PNP Device ID: ROOT\MODEM\0001
Service: Modem


-- Scheduled Tasks -------------------------------------------------------------

2008-05-14 23:39:31 530 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job


-- Files created between 2008-04-17 and 2008-05-17 -----------------------------

2008-05-17 19:33:05 0 d-------- C:\Program Files\Trend Micro
2008-05-16 12:56:21 0 d------c- C:\ie-spyad_zo
2008-05-16 12:52:36 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-16 12:52:09 0 d-------- C:\Program Files\SpywareBlaster
2008-05-15 23:45:39 0 d-------- C:\Program Files\Panda Security


-- Find3M Report ---------------------------------------------------------------

2008-05-17 07:39:06 0 d-------- C:\Program Files\Save
2008-05-13 20:59:33 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-06 15:25:22 0 d-------- C:\Program Files\Java
2008-03-26 16:05:39 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2008-03-26 16:04:18 0 d-------- C:\Program Files\Common Files
2008-03-26 16:04:18 0 d-------- C:\Program Files\Common Files\xing shared
2008-03-26 16:04:05 0 d-------- C:\Program Files\Common Files\Real
2008-03-26 16:02:41 0 d-------- C:\Program Files\Real
2008-03-18 13:38:58 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [05/07/1998 07:04 PM]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [08/20/2004 03:51 PM]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [06/22/2002 10:27 AM]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [04/17/2002 08:42 PM]
"KBD"="C:\HP\KBD\KBD.EXE" [02/11/2003 10:02 PM]
"StorageGuard"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [02/13/2003 11:01 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/14/2002 12:42 AM]
"PS2"="C:\WINDOWS\system32\ps2.exe" [10/16/2002 06:57 PM]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [12/17/2002 11:40 AM]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [03/11/2003 06:08 AM]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [12/02/2002 08:56 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/08/2008 06:33 PM]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [08/20/2004 03:55 PM]
"AlcxMonitor"="ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"NetscapeClient"="" []
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [06/06/2007 07:52 PM]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [05/11/2007 03:20 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/29/2007 06:24 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 08:51 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03/26/2008 04:02 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"WhenUSave"="C:\Program Files\Save\Save.exe" [08/25/2006 02:45 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll 02/21/2003 06:50 AM 40960 C:\Program Files\Softex\OmniPass\OPXPGina.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
AutoRun\command- G:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-05-17 19:40:47 ------------

[lennonforever]

Im not sure if this is the same thing I just sent to you guys.

I think there is something else I am supposed to send to you too, isn't there?

[lennonforever]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:18 PM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Save\Save.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG08.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - Startup: My Little Pony Registration.lnk = E:\ATR1.EXE
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sd...SL/tgctlcm.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145818117640
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10194 bytes

[lennonforever]

I just remembered, it was the active ;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-16 12:43:41
PROTECTIONS: 1
MALWARE: 28
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton AntiVirus 2006 2005 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00027660 adware/savenow Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
00027660 adware/savenow Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
00027660 adware/savenow Adware No 0 Yes No c:\program files\save
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\savenow
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\wusn.1
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\whenusave
00027660 adware/savenow Adware No 0 Yes No hkey_classes_root\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader.1
00027660 adware/savenow Adware No 0 Yes No hkey_classes_root\wusn.1
00035328 Application/KillApp.A HackTools No 0 Yes No C:\hp\bin\Terminator.exe
00040735 adware/whenusearch Adware No 0 Yes No hkey_current_user\software\whenu
00101555 Application/KillApp.B HackTools No 0 Yes No C:\hp\bin\KillIt.exe
00132734 adware/24-7-search Adware No 0 Yes No c:\windows\system32\unppc.exe
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\xg647yht.default\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.atdmt.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.mediaplex.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\xg647yht.default\cookies.txt[.mediaplex.com/]
00167704 Cookie/Xiti TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@xiti[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.azjmp.com/]
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.azjmp.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.apmebf.com/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[server.iad.liveperson.net/]
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[server.iad.liveperson.net/hc/42166290]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.ads.pointroll.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.zedo.com/]
00182104 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.phg.hitbox.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Netscape\Navigator\Profiles\xg647yht.default\cookies.txt[.atwola.com/]
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.ads.addynamix.com/]
00328083 Adware/SaveNow Adware Yes 1 Yes No C:\PROGRAM FILES\SAVE\SAVE.EXE
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\k3t504ss.default\cookies.txt[.adserver.easyad.info/]
;===================================================================================================================================================================================
SUSPECTS
Sent Location )
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description )
;===================================================================================================================================================================================
182046 HIGH MS07-067 )
182043 HIGH MS07-064 )
;===================================================================================================================================================================================
scan stuff

[dai]

the bottom 3 items
http://www.techsupportforum.com/hard...orum-span.html

[lennonforever]

Dai, Im not sure what to do now? I am very confused. Please help me do this correctly. Thank you. I am an older individual and not computer savvy at all. Thank you so much

[dai]

moved you to the hijack forum

[tetonbob]

Hello, lennonforever -

Deckard's System Scanner should also have produced another log, extra.txt

It should be located at C:\Deckard\System Scanner\extra.txt

Please post it.

Quote:

I am very scared to do something like this again!

Don't be scared.

If you have any questions along the way, STOP and ask them first. Do not guess.

[lennonforever]

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 2.50GHz
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 246.98 MiB / 88.26 MiB
Pagefile Memory (total/avail): 605.73 MiB / 215.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1912.44 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 69.99 GiB total, 57.08 GiB free.
D: is Fixed (FAT32) - 4.53 GiB total, 0.76 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD800EB-11DJF0 - 74.53 GiB - 2 partitions
\PARTITION0 - Unknown - 4.53 GiB - D:
\PARTITION1 (bootable) - Installable File System - 69.99 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: Norton Internet Worm Protection v2006 (Symantec)
AV: Norton AntiVirus 2006 v2005 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUR-O0KWKW9JWC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\YOUR-O0KWKW9JWC
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PCToolsDir=C:\Documents and Settings\All Users\Start Menu\Programs\Hewlett-Packard\HP Pavilion PC Tools
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
USERDOMAIN=YOUR-O0KWKW9JWC
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Owner (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\System32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
--> C:\WINDOWS\System32\\MSIEXEC.EXE /x {60E971B7-51A0-48CA-8687-C6B8F094A409}
--> c:\WINDOWS\System32\\MSIEXEC.EXE /x {8214CC02-6271-4DC8-B8DD-779933450264}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81100000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ArcSoft Picture Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ArcSoft\Software Suite\Uninst.isu"
Barbie(TM) as Rapunzel --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\RapunzelUn.exe
Barbie® As Sleeping Beauty --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Barbie®\Barbie® As Sleeping Beauty\Uninst.isu"
ccCommon --> MsiExec.exe /I{1248C09A-BD6B-47F5-BF3F-CD2B700D9FCB}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar2.dll"
Hamtaro Wake Up Snoozer --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Hamtaro\Hamtaro Wake Up Snoozer\Uninstall.xml"
hp deskjet 3600 --> msiexec /x{7CA32143-2DAC-4F5F-9BAA-2AB3707EF192}
HP Deskjet printer preloaded drivers --> MsiExec.exe /X{48BD24F5-13DE-493A-A7CE-28A85113FF0C}
HP Digital Imaging Album Printing 1.0 --> MsiExec.exe /X{47D4AF7B-EDE6-4ADB-8D2F-0BDA25C7321F}
HP Instant Support --> C:\PROGRA~1\HPINST~1\UNWISE.EXE C:\PROGRA~1\HPINST~1\INSTALL.LOG
HP Memories Disc --> MsiExec.exe /X{35E90FA5-2CB4-4039-A8BB-BE1B9DB94E21}
HP Photo and Imaging 1.2 - Photosmart Cameras --> MsiExec.exe /X{4F5FC172-F0E7-4EA5-902F-8D005DF9F000}
HP Photo and Imaging 2.0 - Deskjet Series --> MsiExec.exe /I{E0828692-FD9D-459F-9312-C645C3CA6650}
HP Photosmart printers preloaded drivers --> MsiExec.exe /X{9E88DAA4-1352-4272-BA3A-897668408400}
Intel(R) Extreme Graphics Driver --> RUNDLL32.EXE C:\WINDOWS\System32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
IntelliMover Data Transfer Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14589F05-C658-4594-9429-D437BA688686}\Setup.exe" -l0x9
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
InterVideo WinDVD Player --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KBD --> C:\HP\KBD\KBD.EXE uninstalled
Kelly Club(TM) Pet Parade(TM) CD-ROM --> C:\Program Files\Common Files\Knowledge Adventure\Uninstall\AnimalParadeUn.exe
Lernout & Hauspie TruVoice American English TTS Engine --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\tv_enua.inf, Uninstall
LiveReg (Symantec Corporation) --> C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Mad About Cats --> C:\WINDOWS\unvise32.exe C:\Program Files\Mad About Cats\uninstal.log
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MUSICMATCH® Jukebox --> C:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.exe
My Little Pony --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4CB67F83-F2FF-4542-A5EA-03082FB5B12F}\setup.exe" -l0x9
NAVShortcut --> MsiExec.exe /I{F325CF11-27CE-4872-8022-6E9EB27DF24F}
Netflix Movie Viewer --> MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
Norton AntiVirus 2006 --> MsiExec.exe /X{C6F5B6CF-609C-428E-876F-CA83176C021B}
Norton AntiVirus 2006 (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{C6F5B6CF-609C-428E-876F-CA83176C021B}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Protection Center --> MsiExec.exe /I{82A5BF38-8461-4A5C-B2C9-24F5256D92A6}
Norton WMI Update --> MsiExec.exe /X{F64306A5-4C32-41bb-B153-53986527FAB4}
NVIDIA Windows 2000/XP Display Drivers --> rundll32.exe C:\WINDOWS\System32\nvinstnt.dll,NvUninstallNT4 nvhp.inf
OmniPass --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F4E57F49-84B4-4CF2-B0A1-8CA1752BDF7E}\Setup.exe" -l0x9
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC-Doctor for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
PlayLinc --> MsiExec.exe /I{9CCE527D-356F-41A8-9718-77A68AC065FB}
PS2 --> C:\WINDOWS\system32\ps2.exe uninstall
Python 2.2 combined Win32 extensions --> C:\Python22\Lib\SITE-P~1\UNWISE~1.EXE C:\Python22\Lib\SITE-P~1\w32inst.log
Python 2.2.1 --> C:\Python22\UNWISE.EXE C:\Python22\INSTALL.LOG
Quicken 2003 New User Edition --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F61F2821-694C-475F-99AB-6AF2EFDF40FD} anything
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RecordNow --> MsiExec.exe /I{8214CC02-6271-4DC8-B8DD-779933450264}
S3Display --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Display'
S3Gamma2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Gamma2'
S3Info2 --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Info2'
S3Overlay --> s3uninst.exe -reg 5 'HKLM\Software\S3\S3Uninst\S3Overlay'
Scooby-Doo(TM), Case File #2 The Scary Stone Dragon --> C:\WINDOWS\TLCUninstall.exe -f "C:\Program Files\The Learning Company\Scooby-Doo\Scooby-Doo(TM), Case File #2 The Scary Stone Dragon\Uninstall.xml"
Scooby-Doo(TM), Jinx At The Sphinx(TM) --> C:\Program Files\The Learning Company\Scooby-Doo(TM), Jinx At The Sphinx(TM)\uninstall.exe
Scooby-Doo(TM), Showdown in Ghost Town(TM) --> C:\Program Files\The Learning Company\Scooby-Doo(TM), Showdown in Ghost Town(TM)\uninstall.exe
Screensavers Installer Version 3 --> "C:\Program Files\Screensavers.com\SSSUninst.exe"
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Simple Backup for My Pictures --> MsiExec.exe /I{60E971B7-51A0-48CA-8687-C6B8F094A409}
Simple Installer - Multilanguage Version --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EEF397AC-DAEF-4C04-90A9-5B2BD31875DC}\setup.exe"
Smart Link 56K Voice Modem --> C:\WINDOWS\Modio\SLAMR2KV\Setup.exe /Remove
Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SpamSubtract --> C:\PROGRA~1\INTERM~1\SPAMSU~1\UNWISE.EXE /U C:\PROGRA~1\INTERM~1\SPAMSU~1\INSTALL.LOG
SPBBC --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Symantec KB-DocID:2003093015493306 --> MsiExec.exe /I{08C5815C-2C6E-44f8-8748-0E61BC9AFB68}
toolkit --> c:\Windows\HPTK\unhptkit.exe
Updates from HP --> C:\WINDOWS\BWUnin-6.2.3.66.exe -AppId 137903
Verizon Online Help and Support --> C:\PROGRA~1\Verizon\UNWISE.EXE C:\PROGRA~1\Verizon\INSTALL.LOG
Verizon Servicepoint 1.5.12 --> "C:\Program Files\Verizon\VSP\unins000.exe"
Viewpoint Media Player (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Weblink --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4FCC384C-18EA-4E25-9281-A06AE006D219}\setup.exe" -l0x9
WhenU SaveNow --> "C:\Program Files\Save\SaveUninst.exe" /rWUSV /kSaveNow /d"WhenU SaveNow"
WordPerfect Productivity Pack --> c:\WINDOWS\Corel\Uninst32.exe
WordPerfect Productivity Pack --> C:\WINDOWS\Corel\uninst32.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type42224 / Error
Event Submitted/Written: 05/17/2008 07:38:11 PM / 05/17/2008 07:38:12 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type42223 / Error
Event Submitted/Written: 05/17/2008 07:00:12 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module mshtml.dll, version 7.0.6000.16640, fault address 0x000c6268.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type42201 / Error
Event Submitted/Written: 05/17/2008 10:12:25 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type42175 / Error
Event Submitted/Written: 05/16/2008 03:59:47 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module urlmon.dll, version 7.0.6000.16640, fault address 0x00002fcd.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type42174 / Error
Event Submitted/Written: 05/16/2008 03:40:56 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 7.0.6000.16640, faulting module urlmon.dll, version 7.0.6000.16640, fault address 0x00002fcd.
Processing media-specific event for [iexplore.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type43027 / Error
Event Submitted/Written: 05/17/2008 07:38:38 PM
Event ID/Source: 7016 / Service Control Manager
Event Description:
The SmartLinkService service has reported an invalid current state 0.

Event Record #/Type43021 / Error
Event Submitted/Written: 05/17/2008 06:41:47 PM / 05/17/2008 06:41:51 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {F3A614DC-ABE0-11D2-A441-00C04F795683} did not register with DCOM within the required timeout.

Event Record #/Type42996 / Error
Event Submitted/Written: 05/17/2008 04:36:01 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2

Event Record #/Type42992 / Error
Event Submitted/Written: 05/17/2008 02:42:56 PM
Event ID/Source: 10010 / DCOM
Event Description:




The server {F3A614DC-ABE0-11D2-A441-00C04F795683} did not register with DCOM within the required timeout.

Event Record #/Type42960 / Error
Event Submitted/Written: 05/17/2008 07:30:13 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The mrtRate service failed to start due to the following error:
%%2



-- End of Deckard's System Scanner: finished at 2008-05-17 19:40:47 ------------

[tetonbob]

Ok, first, I want you to realize that in the grand scope of malware, WhenU is not particularly malicious. It is a pest, and it is adware, but it will not cause your machine to BSOD like many modern infections, nor will it patch system files.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please download OTMoveIt2 by OldTimer.
Save it to your desktop. We'll use this later.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"

Close HijackThis now.

---------------------------------------------------------------------------------------------

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

---------------------------------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add or Remove Programs) if they exist:

WhenU SaveNow

If you get any error messages, please write them down precisely and report them.

---------------------------------------------------------------------------------------------

Restart in normal mode.

---------------------------------------------------------------------------------------------

Run OTMoveIt

• Please double-click OTMoveIt2.exe to run it.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  Quote:

  C:\Program Files\Save
  c:\windows\system32\unppc.exe

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

---------------------------------------------------------------------------------------------

Copy and paste the following into Notepad (don't forget to copy and paste REGEDIT4):

Quote:

REGEDIT4

[-HKEY_CLASSES_ROOT\Interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}]

[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{9f95f736-0f62-4214-a4b4-caa6738d4c07}]

[-hkey_local_machine\software\microsoft\windows\currentversion\uninstall\savenow]

[-hkey_local_machine\software\classes\wusn.1]

[-hkey_local_machine\software\whenusave]

[-hkey_classes_root\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}]

[-hkey_local_machine\software\classes\runmsc.loader]

[-hkey_local_machine\software\classes\runmsc.loader.1]

[-hkey_classes_root\wusn.1]

[-hkey_current_user\software\whenu]

Save the file as "delete.reg". Make sure to save it with the quotes. It should look like this:

Close Notepad.

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.

---------------------------------------------------------------------------------------------

[lennonforever]

dear Bob. I am in the process you have described in your most recent post above.

I got to the point where I started in "Safe" mode, then I went to the program list.

I checked on the "WhenUSave" program choice and choose "Remove"

AN ERROR message came up and said ''An error occurred ...WhenUSave may have been uninstalled- Do you want to remove from this list of programs?"

I choose 'Yes'.

Now I just restarted in "Nomal Mode"

QUESTION: should I continue on?

[tetonbob]

Yes, thanks for asking if you're not sure.

Please continue on with the rest of the instructions.

[lennonforever]

Bob this the the "OTMoveIt2" data


C:\Program Files\Save moved successfully.
c:\windows\system32\unppc.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05212008_230746

[tetonbob]

Great. Did you perform the registry fix? Please also post the new HijackThis log as requested.

[lennonforever]

Bob this is the message I received after I saved the "delete.reg" . I didn't know where to save it to , so I chose My Documents, then I received this message



Registry Editor

Cannot import C:\delete.reg:The specified file is not a registry script.
You can only import binary registry files from within the registry editor


So then I saved that notepad stuff to My Computer and received the same message.

What do I do now?

[tetonbob]

It seems as though you did not correctly save the information as instructed.

Did you name it "delete.reg" with the quotes? Did it look like the image? Is REGEDIT4 the first line in the file?

You can save the file anywhere....but how it's saved and what's in it is critical.

Let's try it this way...

I have attached a file to this post - lennon.zip Download this file to your desktop. Double click on the zip folder, then double click on the reg file within. Click yes to allow it to merge into your registry.

[lennonforever]

Scratch my last post. I'm not sure how to save it to the desktop.
I am opening it , then I say run, or I say open. I am really confused now.

[lennonforever]

OK bob, I think I just sent the "lennon" file to the desktop. It is there ( also in afew others places I put it in)



Also I got a message saying that the

"lennon" file was sent sucessfully to the registry.
Now what should I do?