Please review (winfixer)

[sleemie]

I've run ewido, spybot, housecall trends, CWS Shredder and the ad aware vx2 plug-in. I didn't complete the Ad aware scan because it kept freezing up on me. I'm doing this through remote access, the PC is located in our Denver office.

Thanx

Logfile of HijackThis v1.99.1
Scan saved at 3:01:38 PM, on 10/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHENG.EXE
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\logon.scr
C:\Documents and Settings\IMO_Admin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sss.gov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://government.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 199.254.201.175:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.sss.gov;*.sss.gov:8080;*.nbc.gov;?.sss.gov;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ogefce] C:\WINDOWS\System32\ndmzfr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://intra.sss.gov/viewer/activeXV...ivexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sss.gov
O17 - HKLM\Software\..\Telephony: DomainName = sss.gov
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sss.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sss.gov
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe

[tetonbob]

Is this another computer, Sleemie? Or the same one here:

Winfixer and other stuff

How many in your Denver office are infected? Shame on the users....and the SysAdmin.....

Adaware can usually be run in Safe Mode when it hangs like that.

[sleemie]

It's a different computer. It's the third one that I've worked on in Denver, two of them remotely and one of them they shipped in to me. I can't connect to it remotely while it's in safe mode because the remote access service does not start when booting in safe mode. I'll try to run it again and see what happens.

[tetonbob]

OK, Sleemie...just wanted to be sure.....I'm not seeing the Winfixer telltales in this log. Our fixes are best run in Safe mode, because many processes, including malware processes, will not be started. If you can't run this in safe mode, try it all in normal mode.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running.

• Ad-Aware® SE Personal Edition
  *Note* For Ad-AwareSE also install the VX2 Addon Cleaner To run this tool once Adaware is updated click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK" , then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.
  
• Spybot Search & Destroy
• CWShredder

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link doesn't work) and install it.

*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!

Please configure CleanUp with the following settings:

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
  [X]Scan local drives for temporary files (Please uncheck this option)
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WinTools

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ogefce] C:\WINDOWS\System32\ndmzfr.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\ndmzfr.exe
C:\PROGRA~1\COMMON~1\WinTools

Restart in normal mode.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

1. Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
2. Click On 'Scan Now'
3. Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
4. Begin the scan by selecting My Computer
   * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
5. If it finds any malware, it will offer you a report. Click on see report
6. Then click Save report
7. Post the contents of the report in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Restart and run a new HijackThis scan. Save the log file and post it here.

[sleemie]

I attempted to run the panda scan and what's happened on two different systems i'm working on, one of the locally here and the other one mentioned in this post in denver is that towards the very end it will just stop on me and won't get to the point of allowing me to view or save the report. weird thing is that the scan stopped on the same file on both PCs...c:\windows\system32\dsentry.exe. I left them alone for like 20 minutes both times just to make sure it wasn't actually stopped, but it never moved off that file.

[tetonbob]

These are Dell computers. This appears to be an Anti-spyware process from Dell. Seems that after Dell found out certain applications being installed from DVD's would report back information about what customers were watching, they decided to implement an anti-spyware service.

Use TaskMgr to stop the process before performing the scans. See if that helps.

Otherwise, we have other options to see what it is I want to see.

[sleemie]

You do man....that worked with the Dsentry file.

here's my panda and hijack. Also, I attached a screen shot of the winfixer that keeps popping up.


Incident Status Location

Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\a.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\b.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\ba.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bb.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\be.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bg.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bh.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bi.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bj.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bk.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bl.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bn.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bo.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bp.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\br.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bs.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bt.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bu.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bw.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bx.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\by.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\bz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\c.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\ca.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cb.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\ce.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cg.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\ch.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\ci.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cj.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\ck.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cl.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cn.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\co.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cp.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cr.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cs.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\ct.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cu.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cx.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\cz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\d.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\da.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\db.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\de.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\df.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\di.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dl.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dn.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dp.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dr.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\ds.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dt.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\du.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dw.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dy.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\dz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\ed.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\f.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\h.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\i.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\j.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\l.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\m.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\Main.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\n.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\p.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\q.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\r.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\s.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\t.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\u.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\w.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\x.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\WebSavingsfromEbates\System\Code\y.class
Adware:Adware/nCase No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP506\A0044046.dll
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP506\A0044048.dll
Adware:Adware/WinTools No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP507\A0044094.exe
Adware:Adware/KeenValue No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP507\A0044100.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:adware/savenow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\INF\alchem.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\biini.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Spyware:spyware/betterinet No disinfected C:\WINDOWS\wupdsnff.exe


Logfile of HijackThis v1.99.1
Scan saved at 12:48:09 PM, on 10/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\IMO_Admin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sss.gov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://government.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 199.254.201.175:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.sss.gov;*.sss.gov:8080;*.nbc.gov;?.sss.gov;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://intra.sss.gov/viewer/activeXV...ivexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sss.gov
O17 - HKLM\Software\..\Telephony: DomainName = sss.gov
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sss.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sss.gov
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe

[tetonbob]

My bad, sleemie...I totally overlooked the obvious installer entry. Don't worry about the safe mode references if you can't perform them....it would work better if you could. It seems to be a drawback in Remote Access.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Update Ewido's definitions.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WebSavingsfromEbates

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0715] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe"

Delete the following Files/Folders if they exist:

C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0715NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\Downloaded Program Files\WUInst.inf
C:\WINDOWS\INF\alchem.inf
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\SYSTEM32\xmltok.dll
C:\WINDOWS\wupdsnff.exe

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Restart in normal mode.

Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).

• Choose Save, NOT run, and save to your desktop
• Double-click the tmas-web-scan.exe icon
• It will say "Loading TrendMicro definitions".
• Click "Start Scan"

After it's done scanning, click "Scan Results"

• Make sure all items found have a check next to them, then click "Clean Threats Now".
• Click Exit.

Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

Run Panda online scan once again.

Restart and run a new HijackThis scan. Save the log file and post it here.

Create a uninstall list:

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on the Box that says "Open Uninstall Manager"
• Click on the button "Save list"
• Copy and past the List from the notebook onto your post

Also check the Downloaded Program Files folder, report anything you don't recognize.

So, Logs from:

Ewido
Panda
TrendMicro AntiSpyware
HJT scan
HJT Uninstall Manager

[sleemie]

No problem, you're still da man!

Here are two weird files in the downloaded program files folder. They both consist of a bunch of numbers inside the squigly lines and one of them it says it's unknown and the other damaged. They look kinda like this, but I've left out a bunch of the numbers....

{33564D7.....}
{9F1C11AA....}

Here are the logs....

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:39:06 AM, 10/11/2005
+ Report-Checksum: 57ADFEC6

+ Scan result:

C:\Documents and Settings\IMO_Admin\Cookies\imo_admin@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\IMO_Admin\Cookies\imo_admin@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\IMO_Admin\Cookies\imo_admin@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\IMO_Admin\Cookies\imo_admin@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\IMO_Admin\Cookies\imo_admin@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP506\A0044045.dll -> Adware.eZula : Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP506\A0044046.dll -> Spyware.180Solutions : Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP506\A0044048.dll -> Spyware.BiSpy : Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP507\A0044093.dll -> Spyware.Wintol : Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP507\A0044094.exe -> Spyware.Wintol : Error during cleaning


::Report End


PANDA


Incident Status Location

Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:adware/savenow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
TRENDMICRO


Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'
Found '' in 'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Backup
Unable to create the registry key HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000 for restore. [SCANMODS] Error=5.
Finished Backup
Started Cleaning
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC'. Error=5.
[SCANMODS] WARNING: Unable to remove registry keys under 'HKLM\'SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000'. Error=5.
Finished Cleaning


HIJACK


Logfile of HijackThis v1.99.1
Scan saved at 1:35:42 PM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\IMO_Admin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sss.gov/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://government.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 199.254.201.175:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.sss.gov;*.sss.gov:8080;*.nbc.gov;?.sss.gov;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://intra.sss.gov/viewer/activeXV...ivexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sss.gov
O17 - HKLM\Software\..\Telephony: DomainName = sss.gov
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sss.gov
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sss.gov
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Aelita DMW Migration Agent (Vmover.exe) - Aelita Software Corporation - C:\WINDOWS\System32\Vmover.exe



HIJACK UNINSTALL

Ad-Aware SE Personal
Adobe Acrobat 4.0, 5.0
AnswerWorks Runtime
APC PowerChute Personal Edition
ASPS
BCM V.92 56K Modem
Classic PhoneTools
CleanUp!
Corel Applications
Corel WordPerfect Suite 8
Creative MediaSource
Dell Solution Center
Dell Support 5.0.0 (766)
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
E-Term32
ewido security suite
FormFlow 2.22
FormFlow 99 Client Components
HijackThis 1.99.1
HP Color LaserJet 5/5M (HP)
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PROSet II
Internet Explorer Q903235
Internet Registration & Verification Demo
Lavasoft VX2 Cleaner
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft Data Access Components KB870669
Microsoft FrontPage 2002
Microsoft Office Live Meeting 2005
Microsoft Office XP Media Content
Microsoft Office XP Pro Step by Step Interactive
Microsoft Office XP Professional
Modem Helper
MyDVD
NavFit98A
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan
PowerDVD
Preliminary Readings
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Sound Blaster Audigy 2
Spybot - Search & Destroy 1.4
Symantec AntiVirus Client
TIRMS
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip

[sUBs]

Sleemie,

Use Killbox on these files.

C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\Downloaded Program Files\WUInst.inf

These files may not be viewable in Windows. That's why KillBox should be used.
'Standard file Kill' should suffice.

Your log appears clean. Do you still have any other issues?

[sleemie]

Don't think there are any other issues. Couldn't find those two files with killbox.

thanx for all your help.

[sUBs]

If Killbox doesn't find them, they aren't there anymore - no longer exist.

This log seems to be resolved. Do you require me to post you some tips on security?

[sleemie]

I think I'm okay, I've read through some of the other posts on that. We just switched from Symantec/Norton to trendsmicro for our virus protection, and this version also provides some basic spyware protection, and of course we have a firewall here. We want to try and do as much as we can on the gateway level instead of installing a lot of client side programs, such as spywareblaster and spywaregaurd.

thanx for everything.