DNSCatcher and MaxSearch

[cee]

MS Antispyware keeps finding DNSCatcher and MaxSearch, as well as Unclassified.Trojan.Downloader even though I tell it to remove them. I ran the online virus scan from Trend Micro and it found the Trojan and removed it. Here's the log from HijackThis Analyzer. Thanks!

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:30:45 AM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
D:\Program Files\War-ftpd\war-ftpd.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\AVGFRE~1\avgcc.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Spybot Search & Destroy\TeaTimer.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\PROGRA~1\MUSICM~1\COMMON\COMPON~1\MMCOMP~1.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\SnagIt\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing
O15 - Trusted Zone: www.mrcoffee.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://easyaccess.trinity-health.or...terisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106450362857
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoolsports.net/Wyncs.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7214DB88-F77D-434D-AD3F-685A427DC728}: NameServer = 68.42.244.6,68.42.244.5
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\Sandra Lite\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\Sandra Lite\RpcSandraSrv.exe
O23 - Service: WARSVR - Unknown owner - D:\Program Files\War-ftpd\war-ftpd.exe" -tag WARSVR (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================

[Horse]

Hello and welcome to TSF

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If necessary, please ask any questions before proceeding with the procedures below.

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things in the log. It needs to be disabled and can be re-activated once your HijackThis log is clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

Please download LSPFix and save it to a permanent folder. It is highly unlikely that you will need this program, but it is important to have it on hand in case you do. There is a very small chance that after removing New.Net, you may lose your internet connection. If this occurs, close all windows and run the LSPfix tool that you downloaded. Check "I know what I'm doing" and select all entries related to New.Net. Then click >> and remove all entries related to New.Net. Click "Finished". A word of caution here. When you run the program, you may see the file gapsp.dll in the right hand pane. Ths file is a legit file so please move it back to the left pane if you you find it there.

Download DelDomains.inf. Right-click and select Save Target As. Right-click and select install ( There is no need to restart) This will remove all entries in the Trusted Zone"

Download & save to Desktop - UnHookExec.inf
Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:

MyWebSearch
Maxsearch or Free Products

Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe

Please remember to close all other windows, including browsers then click Fix checked.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\MyWebSearch
C:\PROGRA~1\FREEPR~1<<< May present as Free Products
C:\Program Files\DNS
windir32.exe

Reboot your system in Normal Mode.

Please do an online scan at Panda ActiveScan

1. Click on the Scan your PC button & a pop up window shall appear. (Ensure that your pop up blocker doesn't block it)
2. Click On Next
3. Enter your e-mail address & click Send. (It will begin downloading Panda's ActiveX controls which are about 8MB in size)
4. In the next window, & checkmark the following:
   • Disinfect automatically
   • Scan compressed files
   • Scan e-mail files
   • Detect unknown viruses (Heuristic)
   • Detect spyware
5. Begin the scan by selecting All My Computer
   
   You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
   
   
6. If it finds any malware, it will offer you a report. Click on see report
7. Then click Save report
8. Post the contents of the report in your next reply

Please post a fresh Hijack This log together with the Panda scan log report so that we can check if your system is clean.

[cee]

Thank you Horse! Here's are the reports, ActiveScan followed by HijackThis Analyzer:

* * * * * Active Scan Report * * * * *

Incident Status Location

Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\SET8.tmp
Adware:Adware/ImGiant No disinfected C:\WINDOWS\myurlff.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\cmqqnf.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\unstall.exe
Possible Virus. No disinfected C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\CXABCX2V\PIC00010[1].com
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\IF6HY78F\maxifilesdns[1].zip[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\IF6HY78F\maxifilesdns[1].zip[cwebpage.dll]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\3UG2833D\init[1].js
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\0XIB45IF\bannerads[1].htm
Adware:adware/maxifiles No disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[cwebpage.dll]
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059911.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059912.exe
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059913.exe
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059914.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059917.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059918.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059920.exe
Adware:Adware/WUpd No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP157\A0059989.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP159\A0060076.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP159\A0060076.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP159\A0060078.dll
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP162\A0061525.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP162\A0061525.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP162\A0061529.dll
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP165\A0061622.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP165\A0061622.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP165\A0061623.dll
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061715.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061715.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061717.DLL
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061724.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061725.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP170\A0062228.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP170\A0062229.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062292.dll
Adware:Adware/Maxifiles No disinfected D:\Program Files\Microsoft AntiSpyware\Quarantine\0681AFB3-AEE3-4550-95DF-B6362A\18094883-81BF-43A2-9445-344ED7
Adware:Adware/Maxifiles No disinfected D:\Program Files\Microsoft AntiSpyware\Quarantine\0681AFB3-AEE3-4550-95DF-B6362A\566F0132-291C-4F31-B11D-447D72
Adware:Adware/Maxifiles No disinfected D:\Program Files\Microsoft AntiSpyware\Quarantine\0681AFB3-AEE3-4550-95DF-B6362A\A08F5E14-4110-46AD-93D0-BC5E4E
Adware:Adware/WUpd No disinfected D:\Program Files\Microsoft AntiSpyware\Quarantine\886FF516-F0B1-4C83-B183-6C17D9\4983B341-4349-4AEC-B5B4-CD1F99
Spyware:Spyware/Media-motor No disinfected D:\Program Files\Microsoft AntiSpyware\DeactivatedItems\30E540CE-7904-4976-B682-3094E9.asq
Virus:W32/Sobig.E Disinfected Personal Folders\Inbox\Re: Movie\your_details.zip[details.pif]
Virus:Trj/Mitglieder.EW Disinfected Personal Folders\Deleted Items\price.zip[text.exe]



* * * * * HijackThis Analyzer Report * * * * *

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 9/28/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:49:58 AM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
D:\Program Files\War-ftpd\war-ftpd.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\AVGFRE~1\avgcc.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\PROGRA~1\POP-UP~1\PSFREE.EXE
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\logon.scr
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\SnagIt\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://easyaccess.trinity-health.or...terisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106450362857
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoolsports.net/Wyncs.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7214DB88-F77D-434D-AD3F-685A427DC728}: NameServer = 68.42.244.6,68.42.244.5
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\Sandra Lite\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\Sandra Lite\RpcSandraSrv.exe
O23 - Service: WARSVR - Unknown owner - D:\Program Files\War-ftpd\war-ftpd.exe" -tag WARSVR (file missing)


End of KRC HijackThis Analyzer Log.
====================================================================

[Horse]

Hi there Cee

Download Winsock2Fix Then double-click on it to run it.

Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears).
_________________________________________________

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

• c:\program files\newdotnet\
  C:\WINDOWS\inf\SET8.tmp
  C:\WINDOWS\myurlff.exe
  C:\WINDOWS\cmqqnf.exe
  C:\WINDOWS\unstall.exe
  C:\Program Files\Common Files\system32.dll
  

_________________________________________________

Reboot your system in Normal Mode.
_________________________________________________

Please do an online scan at Panda ActiveScan

Post a new Hijack This log together with the Panda log.

[cee]

Thanks again Horse! Here's are the 2nd round of reports, ActiveScan followed by HijackThis Analyzer:

* * * * * ActiveScan Report * * * * *

Incident Status Location

Adware:adware/imgiant No disinfected C:\PROGRAM FILES\joystick networks
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\InetGet
Spyware:spyware/media-motor No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_CLASSES_ROOT\CLSID\{A9571378-68A1-443D-B082-284F960C6D17}
Spyware:spyware/cws.olehelp No disinfected Windows Registry
Possible Virus. No disinfected C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\CXABCX2V\PIC00010[1].com
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\IF6HY78F\maxifilesdns[1].zip[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\IF6HY78F\maxifilesdns[1].zip[cwebpage.dll]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\3UG2833D\init[1].js
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\0XIB45IF\bannerads[1].htm
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059911.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059912.exe
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059913.exe
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059914.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059917.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059918.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059920.exe
Adware:Adware/WUpd No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP157\A0059989.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP159\A0060076.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP159\A0060076.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP159\A0060078.dll
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP162\A0061525.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP162\A0061525.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP162\A0061529.dll
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP165\A0061622.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP165\A0061622.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP165\A0061623.dll
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061715.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061715.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061717.DLL
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061724.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061725.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062292.dll
Adware:Adware/ImGiant No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062364.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062365.exe
Spyware:Spyware/Media-motor No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062366.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062367.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062367.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected D:\Program Files\Microsoft AntiSpyware\Quarantine\0681AFB3-AEE3-4550-95DF-B6362A\18094883-81BF-43A2-9445-344ED7
Adware:Adware/Maxifiles No disinfected D:\Program Files\Microsoft AntiSpyware\Quarantine\0681AFB3-AEE3-4550-95DF-B6362A\566F0132-291C-4F31-B11D-447D72
Adware:Adware/Maxifiles No disinfected D:\Program Files\Microsoft AntiSpyware\Quarantine\0681AFB3-AEE3-4550-95DF-B6362A\A08F5E14-4110-46AD-93D0-BC5E4E
Adware:Adware/WUpd No disinfected D:\Program Files\Microsoft AntiSpyware\Quarantine\886FF516-F0B1-4C83-B183-6C17D9\4983B341-4349-4AEC-B5B4-CD1F99
Spyware:Spyware/Media-motor No disinfected D:\Program Files\Microsoft AntiSpyware\DeactivatedItems\30E540CE-7904-4976-B682-3094E9.asq
* * * * * HijackThis Report * * * * *

Logfile of HijackThis v1.99.1
Scan saved at 7:00:49 PM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\War-ftpd\war-ftpd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\PROGRA~1\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\PROGRA~1\POP-UP~1\PSFREE.EXE
C:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\SnagIt\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [updateMgr] D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_3
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://easyaccess.trinity-health.or...terisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106450362857
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoolsports.net/Wyncs.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\Sandra Lite\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\Sandra Lite\RpcSandraSrv.exe
O23 - Service: WARSVR - Unknown owner - D:\Program Files\War-ftpd\war-ftpd.exe" -tag WARSVR (file missing)

[Ried]

Hello cee,

Reboot into Safe Mode. (tapping F8 or F5)

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

joystick networks

Delete the following Folders:

C:\PROGRAM FILES\joystick networks
C:\PROGRAM FILES\COMMON FILES\InetGet

Clear your Temporary Internet Files: Go to Start > Run and type cleanmgr in the box. Let it scan your system for files to remove. Make sure Temporary Internet Files is 'checked' and click OK.

Empty your Microsoft AntiSpyware Quarantine Folder

Special Note:
MicroSoft AntiSpyware Program:
Because of recent changes in the way this program now defines and detects spyware/adware, it is no longer recommended as a spyware removal tool. Microsoft has downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore”

These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted. We recommend you uninstall it.

Run Panda one more time and post it here please.

[cee]

Thanks Ried! Here's the ActiveScan followed by HijackThis reports:

* * * * * ActiveScan Report * * * * *

Incident Status Location

Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\Windows
Spyware:spyware/media-motor No disinfected Windows Registry
Dialer:dialer generic No disinfected HKEY_CLASSES_ROOT\CLSID\{A9571378-68A1-443D-B082-284F960C6D17}
Spyware:spyware/cws.olehelp No disinfected Windows Registry
Possible Virus. No disinfected C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\CXABCX2V\PIC00010[1].com
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\IF6HY78F\maxifilesdns[1].zip[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Documents and Settings\eric\Local Settings\Temporary Internet Files\Content.IE5\IF6HY78F\maxifilesdns[1].zip[cwebpage.dll]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\3UG2833D\init[1].js
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Emily\Local Settings\Temporary Internet Files\Content.IE5\0XIB45IF\bannerads[1].htm
Possible Virus. No disinfected C:\Documents and Settings\sam\Local Settings\Temporary Internet Files\Content.IE5\OHI5ORY7\picture00048[1].com
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059911.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059912.exe
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059913.exe
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059914.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059917.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059918.dll
Adware:Adware/Prositefinder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP156\A0059920.exe
Adware:Adware/WUpd No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP157\A0059989.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP159\A0060076.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP159\A0060076.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP159\A0060078.dll
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP162\A0061525.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP162\A0061525.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP162\A0061529.dll
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP165\A0061622.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP165\A0061622.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP165\A0061623.dll
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061715.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061715.dll[cwebpage.dll]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061717.DLL
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061724.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP168\A0061725.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062292.dll
Adware:Adware/ImGiant No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062364.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062365.exe
Spyware:Spyware/Media-motor No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062366.exe
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062367.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\System Volume Information\_restore{E7A9DF2A-304A-435D-B843-70EA21DECFE5}\RP171\A0062367.dll[cwebpage.dll]

* * * * * HijackThis Report * * * * *

Logfile of HijackThis v1.99.1
Scan saved at 6:47:25 AM, on 10/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
D:\Program Files\War-ftpd\war-ftpd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - D:\Program Files\SnagIt\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\POP-UP~1\PSFREE.EXE"
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://easyaccess.trinity-health.or...terisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1106450362857
O16 - DPF: {819EDD4C-7EB6-4D97-B831-D68B57E7D3ED} (Wyncs Control) - http://www.highschoolsports.net/Wyncs.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7214DB88-F77D-434D-AD3F-685A427DC728}: NameServer = 68.87.64.196
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\STARDOCK\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\Sandra Lite\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\Sandra Lite\RpcSandraSrv.exe
O23 - Service: WARSVR - Unknown owner - D:\Program Files\War-ftpd\war-ftpd.exe" -tag WARSVR (file missing)

[Horse]

Hi Cee

Your logs pretty good now. May be an idea to run a cleaner once more.

Please download Cleanup! or use this (Alternate Link) if the main link does not work and install it.

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!

Check the following:

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Uncheck the following :

• Scan local drives for temporary files

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will need to use another utility.

Click OK, Press the CleanUp! button to start the program and reboot your system in Normal Mode when prompted.
_________________________________________________

Once you have rebooted:-

To turn off System Restore, do the following

• Click Start
• Right Click My Computer
• Click Properties.
• Click the System Restore tab
• Check "Turn off System Restore" or "Turn off System Restore on all drives"
• Click Apply.
• OK

When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.
_________________________________________________

Reboot your system.
_________________________________________________


To turn on System Restore, do the following

• Click Start
• Right Click My Computer
• Click Properties.
• Click the System Restore tab
• Uncheck "Turn off System Restore" or "Turn off System Restore" on all drives.
• Click Apply.
• OK

_________________________________________________

To Rehide System Files, Do the following:-

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

_________________________________________________

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Failing to do so makes you susceptible to attacks by trojans and viruses. Please go to Microsoft and download and install all the critical updates to help prevent possible re-infection.
_________________________________________________

This is a good time to set up protection against further attacks. Read How Did I Get Infected In The First Place?. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. IE-Spyad is another excellent program that places over 4000 websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. All of the above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. The programs below serve as excellent protection and cleaners for your system.

More information and downloads are available at the following links:

Spyware Blaster
Spyware Guard
IE-Spyad
Winpatrol
CleanUp
Google Toolbar
MVPS Hosts file
_________________________________________________

Please respond to this thread one more time so we can mark this thread as resolved.

[cee]

Horse and Ried,

Thanks very much for taking the time to help me out. I really appreciate it. I ran CleanUp and am in the process of updating my protection.

Thanks again!