Winantivirus and Winfixer Pop-ups keep popping up...help!

[jaddy814]

Hey, I seem to have a common problem. I was wondering if someone can help me out, ASAP! Basically I keep getting these winantivirus 2005 and winfixer pop-ups popping up ALL the time. They take up the entire screen. Sometimes they are difficult to exit out. If somebody could help me, that would be great. I ran HiJackThis and this is what I got...

Logfile of HijackThis v1.99.1
Scan saved at 7:13:27 PM, on 10/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JEFFDO~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\sstts.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.online.librar.../ebraryRdr.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: sstts - C:\WINDOWS\system32\sstts.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[jaddy814]

I'm just moving this up...i'm still here! I noticed other people have the same problem. I would go ahead and use the helpful replys you gave them, but i am not sure if the same files should be deleted.

[jaddy814]

i have also run mcafee and ad-aware and nothing is detecting it. what one of those things should i delete? the ".dll" ones?

thanks in advance

[sUBs]

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop. Double-click on it to extract the files to a new folder on your desktop.

Reboot your computer into Safe Mode.
Restart your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
At the introductory screen, press <Enter> to proceed.
When asked to type in a filepath, please key this in:

• C:\WINDOWS\system32\sstts.dll

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Next you will be asked to type in a second filepath.
At this point please type the following file path (make sure to enter it exactly as below!):

• C:\WINDOWS\system32\sttss.*

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


The fix should then automatically launch HijackThis. (if it doesn't, you'll have to do it manually)
In HiJackThis, please place a check next to the following items and click FIX CHECKED:

• O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\system32\sstts.dll
  O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
  O20 - Winlogon Notify: sstts - C:\WINDOWS\system32\sstts.dll

After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Once your machine reboots please continue with the instructions below.

Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Then, perform an online scan with Internet Explorer with Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

[jaddy814]

is it possible for that to just dissappear? I ran another Hijackthis scan this morning and, "C:\WINDOWS\system32\sstts.dll" was not there. What's up with that? Should I do the above process anyways?

[sUBs]

Please post a new HJT log. I wanna see if there have been changes.

[jaddy814]

Logfile of HijackThis v1.99.1
Scan saved at 4:08:38 PM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\JEFFDO~1\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.online.librar.../ebraryRdr.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[sUBs]

Is this before/after doing the fix?

[jaddy814]

before, i havent done the fix yet.

but im thinking i dont have to any more, since its not there right?

i hope its just not hiding itself!

[sUBs]

That's strange. Where did it go? Did you do any scanning recently?

Either way, you still have some minor fixing to do.

Please have HijackThis fix these entries:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)


It would greatly ease any worries if you performed an online scan at Panda ActiveScan

1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Click Scan Now
3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Click on see report. Then click Save report

Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

[jaddy814]

Nope, I didnt do any scanning. It just kind of dissappeared apparently. Anyways, I did the panda activescan, fixed those problems in HiJackThis, and did another HiJackThis log. Here are my results...

Activescan results....

Adware:adware/exact.bargainbuddy No disinfected
WindowsRegistry

Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\SYSTEM32\ddcya.dll

Newest HiJackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 251 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\DOCUME~1\JEFFDO~1\LOCALS~1\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.online.librar.../ebraryRdr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



How should I fix the spyware that was found with the activescan?
Thanks for all the help!

[sUBs]

Vundo has gone but it left a buddy

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...

1. In the popup box that appears, type in C:\WINDOWS\SYSTEM32\ddcya.dll
2. Click the Open button.
3. Click YES when prompted to restart your computer.

After you have rebooted, download & extract this file to it's own folder - Registry Search

Launch Registry Search
In the search box, enter buddy & click "Ok".
Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply

[jaddy814]

When I pressed "Yes" to promp a restart on my computer after doing that stuff in HiJackThis, I got a blue screen and on top it said, "c000021a fatal system error". I turned the power off my computer and started it up again. I assumed the file was deleted, but I can't tell. I proceeded with the Registry Search, and this is the log I recieved after searching buddy....


REGEDIT4

; Registry Search by Bobbi Flekman
; Version: 1.0.2.1

; Results at 10/15/2005 3:30:35 PM for strings:
; 'buddy'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Buddy.BuddyService]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Buddy.BuddyService]
@="BuddyService Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Buddy.BuddyService\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Buddy.BuddyService\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Buddy.BuddyService\CurVer]
@="Buddy.BuddyService.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Buddy.BuddyService.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Buddy.BuddyService.1]
@="BuddyService Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Buddy.BuddyService.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}]
@="SuperBuddy Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}\ProgID]
@="Sb.SuperBuddy.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{189504B8-50D1-4AA8-B4D6-95C8F58A6414}\VersionIndependentProgID]
@="Sb.SuperBuddy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4EDDDDBC-3528-41AA-AA6E-237AA8092C08}]
@="BuddyService Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4EDDDDBC-3528-41AA-AA6E-237AA8092C08}\InprocServer32]
@="C:\\PROGRA~1\\AOLCOM~1\\Buddy.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4EDDDDBC-3528-41AA-AA6E-237AA8092C08}\ProgID]
@="Buddy.BuddyService.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4EDDDDBC-3528-41AA-AA6E-237AA8092C08}\VersionIndependentProgID]
@="Buddy.BuddyService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}]
@="SuperBuddyData Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}\ProgID]
@="Sb.SuperBuddyData.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A98ABF1C-107C-44E7-9254-2C3FF435D0C2}\VersionIndependentProgID]
@="Sb.SuperBuddyData"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{01B7DEEE-5988-4264-A557-A3E6ABF964C7}]
@="ISuperBuddyConfig"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{045EA296-D02B-46AB-AEC9-70DFCE0C7582}]
@="DISuperBuddyEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{22C652DE-4FEA-47DE-AAB0-12D6EC80B073}]
@="ISuperBuddy"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{66CA0236-D197-4424-B307-A474C4F8B4D7}]
@="IBuddyService"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC0DA561-8BCC-4BE2-BF42-F0B66F98AAC5}]
@="_IBuddyServiceEvents"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F36D755D-17E6-404E-954F-0FC07574C78D}]
@="IRTCBuddyEvent"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddy]
@="SuperBuddy Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddy\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddy\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddy\CurVer]
@="Sb.SuperBuddy.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddy.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddy.1]
@="SuperBuddy Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddy.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddyData]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddyData]
@="SuperBuddyData Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddyData\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddyData\CurVer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddyData\CurVer]
@="Sb.SuperBuddyData.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddyData.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddyData.1]
@="SuperBuddyData Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Sb.SuperBuddyData.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{155B3F27-CDEE-4FE2-8CC5-8D08882FDE15}\1.0]
@="Buddy 1.0 Type Library"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{155B3F27-CDEE-4FE2-8CC5-8D08882FDE15}\1.0\0\win32]
@="C:\\PROGRA~1\\AOLCOM~1\\Buddy.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bargain-buddy.net]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bargain-buddy.net]

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bargain-buddy.net]

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bargain-buddy.net]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\AppEvents\Schemes\Apps\AOL_US(Default Sounds)\BuddyIn]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\AppEvents\Schemes\Apps\AOL_US(Default Sounds)\BuddyIn\.current]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\AppEvents\Schemes\Apps\AOL_US(Default Sounds)\BuddyIn\.current]
@="C:\\Documents and Settings\\All Users\\Application Data\\AOL\\C_America Online 9.0\\aolshare\\sounds\\US\\Default\\buddyin.wav"

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\AppEvents\Schemes\Apps\AOL_US(Default Sounds)\BuddyOut]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\AppEvents\Schemes\Apps\AOL_US(Default Sounds)\BuddyOut\.current]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\AppEvents\Schemes\Apps\AOL_US(Default Sounds)\BuddyOut\.current]
@="C:\\Documents and Settings\\All Users\\Application Data\\AOL\\C_America Online 9.0\\aolshare\\sounds\\US\\Default\\buddyout.wav"

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Buddy]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jad81486\Buddy]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jad81486\Buddy]
"BuddyInviteFile"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jad81486\Buddy]
"BuddyListFileMerged"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jad81486\WindowPos]
"BuddyMain"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,\

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jad81486\WindowPos]
"BuddyListSetup"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,\

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jador814\Buddy]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jador814\Buddy]
"BuddyInviteFile"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jador814\Buddy]
"BuddyListFileMerged"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jador814\Buddy]
"FlashBuddyWindow"=dword:00000000

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jador814\WindowPos]
"BuddyMain"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,\

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jador814\WindowPos]
"BuddyListSetup"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,\

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jador814\WindowPos]
"BuddyMainNoSideBarLeft"=dword:00000000

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\jador814\WindowPos]
"BuddyMainNoSideBarRight"=dword:00000000

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\lego814\Buddy]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\lego814\Buddy]
"BuddyInviteFile"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\lego814\Buddy]
"BuddyListFileMerged"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\lego814\Buddy]
"FlashBuddyWindow"=dword:00000000

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\lego814\BuddyAlertSounds]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\lego814\DialogPos]
"AddBuddyDlg"=hex:84,01,00,00,c2,00,00,00

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\lego814\WindowPos]
"BuddyListSetup"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,\

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\lego814\WindowPos]
"BuddyMain"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,\

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\meggep21\Buddy]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\meggep21\Buddy]
"BuddyInviteFile"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\meggep21\Buddy]
"BuddyListFileMerged"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\meggep21\WindowPos]
"BuddyMain"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,\

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\rachzlicious\Buddy]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\rachzlicious\Buddy]
"BuddyInviteFile"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\rachzlicious\Buddy]
"BuddyListFileMerged"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\rachzlicious\Buddy]
"FlashBuddyWindow"=dword:00000000

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\rth3681\Buddy]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\weggles21\Buddy]

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\weggles21\Buddy]
"BuddyInviteFile"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\weggles21\Buddy]
"BuddyListFileMerged"=dword:00000001

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users\weggles21\WindowPos]
"BuddyMain"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,ff,\

[HKEY_USERS\S-1-5-21-1713871582-3272965051-120269989-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bargain-buddy.net]

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\bargain-buddy.net]

; End Of The Log...

Here is a new HiJackThis log if ya need it...

Logfile of HijackThis v1.99.1
Scan saved at 3:35:13 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\JEFFDO~1\LOCALS~1\Temp\Temporary Directory 10 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.online.librar.../ebraryRdr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[sUBs]

I have attached a file to this post - regdel.txt

Download it & rename it "regdel.REG" (inclusive of the quotes)
Make sure you do not mistakenly rename it as regdel.reg.txt (double extensions)
Double-click on it & answer YES when prompted to merge into the Registry

After you have done that, perform another Panda scan.
Let's see if it brings anything back

[jaddy814]

before i do this, I just want to ask what this "reg del" will do? After doing some of these steps I have noticed a few other things on my computer going wrong. I cant seem to restart my computer without getting a "mcshield.exe application error" msg. What could this be about?

Do I still have some spyware on my computer? How come my ad-aware is not catching it?

Thanks.

[jaddy814]

also my computer takes a rediculously long time to shut down (like five minutes, and sometimes it just DOESNT shut down at all). what gives?

Thanks in advance, I know im being a hassle!

[sUBs]

Quote:

Adware:adware/exact.bargainbuddy No disinfected

It's no hassle. Please feel free to ask.

Regdel is a text file. Please open it up to have a look. It's for removing the above entries from your Registry.

I'm more concerned about McAfee's shied problem. Please post the error message as displayed by McAfee.

[jaddy814]

i dont know what the error msg said exactly, but here is what i copied down...

mcshield.exe application error
an unknown software exception

and then i copied down the numbers, Oxc0000008 and 0x7c964ed1

im performing another panda scan now

[jaddy814]

i just finished the panda scan and nothing was found! is that a good thing? did the regdel.REG thing find all the spyware/viruses from before and delete them? what happened to all of the bargainbuddy stuff?

[sUBs]

Regdel is a customised file that removes the registry entries pertaining to bargain buddy. That's how Panda came clean this time round.

With regards to McAfee, Vundo may have corrupted some of it's core files. It may be prudent to re-install it again.


Your system is clean. Please follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
    
    
    
11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.