Adware, spyware, etc. on Windows XP

tingalls · 02-22-2006, 06:02 PM

As I've been inundated with popups and spyware, mostly labled "Search the Web", I've completed steps 1-5 as advised, and run hijack this. The log follows. Hoping for some help with cleansing/immunizing my computer for good and multiple attempts to clean it work only temporarily. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 8:01:02 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
F2 - REG:system.ini: UserInit=userinit.exe
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mswspl] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://iuware-web001.uits.indiana.e...t/iftwclix.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_5/controls/ybrequest.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {72133CC5-DE1E-42FE-B8B0-93D2C6C3472E} (FillerX Class) - http://www.formatta.com/download/pffloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/controls/YBUICtrl.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...99/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

sUBs · 02-22-2006, 06:34 PM

Please download & run VundoFix.exe

Put a check next to Run VundoFix as a task.
Click OK when you will receive a message saying vundofix will close and re-open in a minute or less.
When VundoFix re-opens, click the Scan button followed by the Remove button
** Your desktop will go blank as it starts removing Vundo. **
Restart your computer & post the contents of C:\vundofix.txt and a new HiJackThis log.

tingalls · 02-22-2006, 06:52 PM

Done.

VundoFix V4.2.26
Scan started at 8:37:11 PM 2/22/2006

Listing files found while scanning....

No infected files were found.

VundoFix V4.2.26
Scan started at 8:45:05 PM 2/22/2006

Listing files found while scanning....

No infected files were found.

And the new hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:51:47 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
F2 - REG:system.ini: UserInit=userinit.exe
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mswspl] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://iuware-web001.uits.indiana.e...t/iftwclix.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_5/controls/ybrequest.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {72133CC5-DE1E-42FE-B8B0-93D2C6C3472E} (FillerX Class) - http://www.formatta.com/download/pffloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/controls/YBUICtrl.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...03/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

sUBs · 02-22-2006, 07:07 PM

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *

You do not appear to have an antivirus program installed. Please download AVG Antivirus and update it's virus definitions. Also ensure that it's real time scanning engine is enabled

Download & install CleanUp.exe (not recommended for WinXP64)

Download and install Ewido Security Suite

When installing, under "Additional Options",
- uncheck - Install background guard
Have Ewido update itself & then exit the program.

If you are having problems with the updater, you can use this link to manually update Ewido

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

HijackThis is able to create backups whenever if fixes any entry. These are stored in a subfolder called backups. As such, we advise against placing the program in any temporary folders. Please create a new directory, C:\Program Files\HijackThis\, and re-locate the program & it's associate files there.

Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *

Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:

Privacy Champion

Please note any other programs that you dont recognize in that list in your next response

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

C:\WINDOWS\pxwma.dll
C:\Program Files\Privacy Champion\

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *

Have AVG do a full system scan & allow it to disinfect all that it finds

* * * * *

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files

With the first file it prompts to clean, select the option:

"Perform action on all infections"
.Choose clean and click OK.

Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.

* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis log

Online Scan

Ewido

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

tingalls · 02-24-2006, 03:24 AM

Completed steps and logs posted below. C:\WINDOWS\pxwma.dll
C:\Program Files\Privacy Champion\ files were not there and so could not delete them.

Logfile of HijackThis v1.99.1
Scan saved at 5:22:31 AM, on 2/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mswspl] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://iuware-web001.uits.indiana.e...t/iftwclix.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_5/controls/ybrequest.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {72133CC5-DE1E-42FE-B8B0-93D2C6C3472E} (FillerX Class) - http://www.formatta.com/download/pffloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/controls/YBUICtrl.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...03/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, February 23, 2006 21:43:53
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 24/02/2006
Kaspersky Anti-Virus database records: 178275
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 62261
Number of viruses found: 22
Number of infected objects: 68
Number of suspicious objects: 0
Duration of the scan process: 6209 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUClockSync3.zip/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ay
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WhenUClockSync3.zip Infected: not-a-virus:AdWare.Win32.SaveNow.ay
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\A0069397.dll.bac_a03340 Infected: not-a-virus:AdWare.Win32.SafeSurfing.c
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\auf0.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Apropo.al
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\cxtpls_loader.exe.bac_a03340 Infected: not-a-virus:AdWare.Win32.Apropos.b
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\dhclv.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Agent.ed
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\dintls.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Apropo.ac
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\dsaxtray.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Agent.ed
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\dskhz.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Apropo.ac
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\ftsit.exe.bac_a03340 Infected: Virus.Win32.Porad.a
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\fxdacmgr.exe.bac_a03340 Infected: Virus.Win32.Porad.a
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\grpmsp.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Agent.ed
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\halcd.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Apropo.ac
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\II22.exe.bac_a03340 Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\Installer2.exe.bac_a03340 Infected: Trojan-Dropper.Win32.Delf.z
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\javainstaller.jar-5aa0b436-3d6d7915.zip.bac_a03340/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\javainstaller.jar-5aa0b436-3d6d7915.zip.bac_a03340 Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\msg7.tmp10907754864950.exe.bac_a03340/data0002 Infected: not-a-virus:AdWare.Win32.Ilookup.b
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\msg7.tmp10907754864950.exe.bac_a03340/data0003 Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\msg7.tmp10907754864950.exe.bac_a03340 Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\msg8.tmp10912948297465.exe.bac_a03340/data0002 Infected: not-a-virus:AdWare.Win32.Ilookup.b
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\msg8.tmp10912948297465.exe.bac_a03340/data0003 Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\msg8.tmp10912948297465.exe.bac_a03340 Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\reg6523.exe.bac_a03340 Infected: not-a-virus:AdWare.Win32.Beginto.a
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\soldle.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Agent.ed
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\spitcli.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Apropo.ac
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\thin-116-1-x-x.exe.bac_a03340 Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\UnstSA2.exe.bac_a03340 Infected: Trojan-Dropper.Win32.Delf.z
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\whenu.exe.bac_a03340/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ay
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\whenu.exe.bac_a03340 Infected: not-a-virus:AdWare.Win32.SaveNow.ay
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\wmpdde.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Agent.ed
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\wrikcomm.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Apropo.ac
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\{06762C7E-2EDE-4953-84F9-983EC0CEB4BC}.exe.bac_a03340/{06762C7E-2EDE-4953-84F9-983EC0CEB4BC}.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\{06762C7E-2EDE-4953-84F9-983EC0CEB4BC}.exe.bac_a03340 Infected: Trojan-Downloader.Win32.Apropo.u
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\{0869915B-6CD3-4054-92F4-6C06C8FB1C06}.cab.bac_a03340/{0869915B-6CD3-4054-92F4-6C06C8FB1C06}.cab/AltnetUninstall.exe Infected: not-a-virus:AdWare.Win32.Altnet.b
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\{0869915B-6CD3-4054-92F4-6C06C8FB1C06}.cab.bac_a03340/{0869915B-6CD3-4054-92F4-6C06C8FB1C06}.cab Infected: not-a-virus:AdWare.Win32.Altnet.b
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\{0869915B-6CD3-4054-92F4-6C06C8FB1C06}.cab.bac_a03340 Infected: not-a-virus:AdWare.Win32.Altnet.b
C:\Documents and Settings\Thomas Ingalls\Desktop\Personal Folders\Jenn-Bell\Azureus_2.3.0.4_Win32.setup.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Webdir.b
C:\Documents and Settings\Thomas Ingalls\Desktop\Personal Folders\Jenn-Bell\Azureus_2.3.0.4_Win32.setup.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b
C:\Documents and Settings\Thomas Ingalls\Desktop\Personal Folders\Jenn-Bell\Azureus_2.3.0.4_Win32.setup.exe Infected: not-a-virus:AdWare.Win32.Webdir.b
C:\Documents and Settings\Thomas Ingalls\My Documents\Azureus_2.3.0.4_Win32.setup.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Webdir.b
C:\Documents and Settings\Thomas Ingalls\My Documents\Azureus_2.3.0.4_Win32.setup.exe/stream Infected: not-a-virus:AdWare.Win32.Webdir.b
C:\Documents and Settings\Thomas Ingalls\My Documents\Azureus_2.3.0.4_Win32.setup.exe Infected: not-a-virus:AdWare.Win32.Webdir.b
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{880FCCCC-13FC-4788-B5F8-45488F1F352F}\{EF3B9084-22AE-4953-AEE2-E9F2EE6E2F36}.fr0361/{EF3B9084-22AE-4953-AEE2-E9F2EE6E2F36}.fr0361 Infected: Trojan.Win32.Crypt.t
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{880FCCCC-13FC-4788-B5F8-45488F1F352F}\{EF3B9084-22AE-4953-AEE2-E9F2EE6E2F36}.fr0361 Infected: Trojan.Win32.Crypt.t
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{B24A8FF8-1442-40FA-9C45-4D13120FFC87}\{2A014612-5EAC-4ADA-B4B6-6E21CAEF33AC}.exe/{2A014612-5EAC-4ADA-B4B6-6E21CAEF33AC}.exe Infected: not-a-virus:AdWare.Win32.Altnet.p
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{B24A8FF8-1442-40FA-9C45-4D13120FFC87}\{2A014612-5EAC-4ADA-B4B6-6E21CAEF33AC}.exe Infected: not-a-virus:AdWare.Win32.Altnet.p
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{B24A8FF8-1442-40FA-9C45-4D13120FFC87}\{7A6D1DDA-B4EB-4EAA-885C-C4C22B01B050}.dll/{7A6D1DDA-B4EB-4EAA-885C-C4C22B01B050}.dll Infected: not-a-virus:AdWare.Win32.Altnet.a
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{B24A8FF8-1442-40FA-9C45-4D13120FFC87}\{7A6D1DDA-B4EB-4EAA-885C-C4C22B01B050}.dll Infected: not-a-virus:AdWare.Win32.Altnet.a
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{B24A8FF8-1442-40FA-9C45-4D13120FFC87}\{D5F16AD4-2B12-4B7E-BC24-7C658FD94021}.cab/{D5F16AD4-2B12-4B7E-BC24-7C658FD94021}.cab/Points Manager.exe Infected: not-a-virus:AdWare.Win32.Altnet.h
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{B24A8FF8-1442-40FA-9C45-4D13120FFC87}\{D5F16AD4-2B12-4B7E-BC24-7C658FD94021}.cab/{D5F16AD4-2B12-4B7E-BC24-7C658FD94021}.cab Infected: not-a-virus:AdWare.Win32.Altnet.h
C:\Program Files\iolo\System Mechanic 5\Undo\Manual\{B24A8FF8-1442-40FA-9C45-4D13120FFC87}\{D5F16AD4-2B12-4B7E-BC24-7C658FD94021}.cab Infected: not-a-virus:AdWare.Win32.Altnet.h
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP581\A0069401.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0069628.exe Infected: Virus.Win32.Porad.a
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0069632.exe Infected: Virus.Win32.Porad.a
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0069740.dll Infected: not-a-virus:AdWare.Win32.SafeSurfing.c
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070788.dll/{23BE608E-55A8-49BB-8895-A0B3FB429F5E}.dll Infected: not-a-virus:AdWare.Win32.Altnet.j
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070788.dll Infected: not-a-virus:AdWare.Win32.Altnet.j
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070789.exe/{417C0B46-A9ED-42BB-A7AC-22E207B57809}.exe Infected: not-a-virus:AdWare.Win32.Altnet.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070789.exe Infected: not-a-virus:AdWare.Win32.Altnet.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070790.dll/{44C7C55D-6D13-468A-88EC-177D3B65224E}.dll Infected: not-a-virus:AdWare.Win32.Altnet.i
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070790.dll Infected: not-a-virus:AdWare.Win32.Altnet.i
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070791.dll/{D8796504-886B-4DB1-9FAA-9DA39FD13160}.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070791.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070792.dll/{F4B75220-3BD9-4379-811E-5D3E53BB7DA8}.dll Infected: not-a-virus:AdWare.Win32.Altnet.a
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070792.dll Infected: not-a-virus:AdWare.Win32.Altnet.a
C:\WINDOWS\SYSTEM32\tcprcp.dll Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\SYSTEM32\uspntdll.dll Infected: Trojan.Win32.Crypt.t

Scan process completed.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:16:50 AM, 2/24/2006
+ Report-Checksum: 759C347C

+ Scan result:

:mozilla.25:C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Firefox\Profiles\default.nuk\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Firefox\Profiles\default.nuk\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Firefox\Profiles\default.nuk\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Firefox\Profiles\default.nuk\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Firefox\Profiles\default.nuk\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Firefox\Profiles\default.nuk\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Firefox\Profiles\default.nuk\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Firefox\Profiles\default.nuk\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Thomas Ingalls\Cookies\thomas ingalls@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Thomas Ingalls\Cookies\thomas ingalls@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Thomas Ingalls\Cookies\thomas ingalls@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Thomas Ingalls\Cookies\thomas ingalls@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Thomas Ingalls\Cookies\thomas ingalls@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Thomas Ingalls\Cookies\thomas ingalls@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070788.dll/{23BE608E-55A8-49BB-8895-A0B3FB429F5E}.dll -> Adware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070789.exe/{417C0B46-A9ED-42BB-A7AC-22E207B57809}.exe -> Adware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070790.dll/{44C7C55D-6D13-468A-88EC-177D3B65224E}.dll -> Adware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070791.dll/{D8796504-886B-4DB1-9FAA-9DA39FD13160}.dll -> Adware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0070792.dll/{F4B75220-3BD9-4379-811E-5D3E53BB7DA8}.dll -> Adware.Altnet : Cleaned with backup

::Report End

sUBs · 02-24-2006, 08:56 AM

Please read this post completely before begining the fix.

Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1
Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain

Please download AproposFix.exe - but do NOT run it yet.

* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.

* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.

Tick - 'Show hidden files and folder'
Untick - 'Hide file extensions for known types'
Untick - 'Hide protected operating system files'
Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

C:\Documents and Settings\Thomas Ingalls\Desktop\Personal Folders\Jenn-Bell\Azureus_2.3.0.4_Win32.setup.exe
C:\WINDOWS\SYSTEM32\tcprcp.dll
C:\WINDOWS\SYSTEM32\uspntdll.dll

Delete the contents of this folder, leaving it empty:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.

* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *

Double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, it woud create log.txt file in the aproposfix folder.

Reboot to Normal Mode & post the AproposFix log along with a fresh HJT log. Let me know how the machine is behaving now.

tingalls · 02-24-2006, 04:43 PM

Done. Found and deleted all of the indicated files and emptied the housecall and spybot folders. Nothing's popped up yet in the minute or so since rebooting in normal mode which has not been the case. Here are the logs. Am I clean?

Logfile of HijackThis v1.99.1
Scan saved at 6:39:30 PM, on 2/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [mswspl] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe"
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://iuware-web001.uits.indiana.e...t/iftwclix.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_5/controls/ybrequest.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {72133CC5-DE1E-42FE-B8B0-93D2C6C3472E} (FillerX Class) - http://www.formatta.com/download/pffloader.cab
O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/controls/YBUICtrl.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...03/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Thomas Ingalls\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CvXl8AH4eX35]
@="u0GGcDDOPPOPPQPG20tuxrOPPOeRPykpfqyuPGMGH2AVUP1F6J2FGPKA6FL1.JQGMG"
"Device"="\\\\.\\secRSVP"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\wmirxdav.sys"
"DriverName"="ScssApp"
"HideUninstallerName"="C:\\Program Files\\Ipofiles\\traauthz.exe"
"HDll"="C:\\WINDOWS\\system32\\inisesrv.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"
"PartnerId"="WB.OLD"
"InstallationId"="{H476504a-28d4-2b27-4f73-170b3c1c9c6b}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Ipofiles\\msrtstat.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\skel_mtf.exe"
"Version"="2.0.131"
"LastAURestoreMsgTS"="2006:02:24-22:40:59:375"

************

Removing hidden service:
Service ScssApp removed.

Removing hidden folder:

sUBs · 02-24-2006, 08:22 PM

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
- Tick on the checkbox - Turn off System Restore on all drives
- Click Apply
Turn it back 'On' by unticking the same checkbox & click OK
DISABLE THE VIEWING OF SYSTEM FILES
From Windows Explorer, go to Tools>Folder Options> View tab.
- Untick - Show hidden files and folder
- Tick - Hide file extensions for known types
- Tick - Hide protected operating system files
Click Yes to confirm & then click OK
SECURING INTERNET EXPLORER
From within Internet Explorer click on the Tools menu and then click on Internet Options.
- Select the Security tab
  - Click once on the Internet icon so it becomes highlighted.
  - Select Custom Level .
    - Change 'Download signed ActiveX controls' to Prompt
    - Change 'Download unsigned ActiveX controls' to Disable
    - Change 'Initialize and script ActiveX controls not marked as safe' to Disable
    - Change 'Installation of desktop items' to Prompt
    - Change 'Launching programs and files in an IFRAME' to Prompt
    - Change 'Navigate sub-frames across different domains' to Prompt
    - When all these changes have been made, click on the OK button.
  - If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Select OK to exit the Internet Properties page.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
Microsoft Windows Update
Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SPYBOT - SEARCH & DESTROY
Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
AD-AWARE
Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
Google Toolbar - Get the free google toolbar to help stop pop up windows.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
Winpatrol - Download and install the free version of Winpatrol.
A tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

tingalls · 02-25-2006, 04:32 AM

You can mark as resolved. Very much appreciate your help.

02-22-2006, 06:02 PM	#1 (permalink)
tingalls Registered User Join Date: Feb 2006 Posts: 5 OS: XP	Adware, spyware, etc. on Windows XP As I've been inundated with popups and spyware, mostly labled "Search the Web", I've completed steps 1-5 as advised, and run hijack this. The log follows. Hoping for some help with cleansing/immunizing my computer for good and multiple attempts to clean it work only temporarily. Thanks in advance. Logfile of HijackThis v1.99.1 Scan saved at 8:01:02 PM, on 2/22/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Dell Support\DSAgnt.exe C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet F2 - REG:system.ini: UserInit=userinit.exe N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js) N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [mswspl] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://iuware-web001.uits.indiana.e...t/iftwclix.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_5/controls/ybrequest.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB O16 - DPF: {72133CC5-DE1E-42FE-B8B0-93D2C6C3472E} (FillerX Class) - http://www.formatta.com/download/pffloader.cab O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/controls/YBUICtrl.cab O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...99/mcfscan.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

02-22-2006, 06:34 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,421 OS: N/A	Please download & run VundoFix.exe Put a check next to Run VundoFix as a task. Click OK when you will receive a message saying vundofix will close and re-open in a minute or less. When VundoFix re-opens, click the Scan button followed by the Remove button Your desktop will go blank as it starts removing Vundo. Restart your computer & post the contents of C:\vundofix.txt and a new HiJackThis log. __________________ Question - what have you done for the community today?

02-22-2006, 07:07 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,421 OS: N/A	Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. * * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * * You do not appear to have an antivirus program installed. Please download AVG Antivirus and update it's virus definitions. Also ensure that it's real time scanning engine is enabled Download & install CleanUp.exe (not recommended for WinXP64) Download and install Ewido Security Suite When installing, under "Additional Options", uncheck - Install background guard Have Ewido update itself & then exit the program. If you are having problems with the updater, you can use this link to manually update Ewido 'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * HijackThis is able to create backups whenever if fixes any entry. These are stored in a subfolder called backups. As such, we advise against placing the program in any temporary folders. Please create a new directory, C:\Program Files\HijackThis\, and re-locate the program & it's associate files there. Do a HijackThis scan & place a check next to these items and select "Fix checked": R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * * Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs: Privacy Champion Please note any other programs that you dont recognize in that list in your next response * * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools -> Folder Options -> View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (let me know if you fail to find/delete any) C:\WINDOWS\pxwma.dll C:\Program Files\Privacy Champion\ * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. 6. Do NOT reboot/logoff if prompted. * CleanUp! will not create any backups!! * * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * * Have AVG do a full system scan & allow it to disinfect all that it finds * * * * * Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click Complete System Scan to begin scanning. Click OK when prompted to clean files With the first file it prompts to clean, select the option: "Perform action on all infections" .Choose clean and click OK. Once finished, click the Save report button & save the report to your desktop ** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete. * * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * * Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: HiJackThis log Online Scan Ewido Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today?

02-24-2006, 08:56 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,421 OS: N/A	Please read this post completely before begining the fix. Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards. SpywareBlaster 3.5.1 Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items IE-SpyAD - Extract the contents to a new folder From within the folder, double-click install.bat Select Option #2 - Install the new IE-SPYAD list. Then return to the main menu. Select option #4 - Add the old porn sites domain Please download AproposFix.exe - but do NOT run it yet. * * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * * 1. Restart your computer 2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3. Instead of Windows loading as normal, a menu should appear 4. Select the option to run Windows in Safe Mode. * * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * * If you have not done so already, please enable the viewing of Hidden files From Windows Explorer, go to Tools -> Folder Options -> View tab. Tick - 'Show hidden files and folder' Untick - 'Hide file extensions for known types' Untick - 'Hide protected operating system files' Click Yes to confirm & then click OK Locate and delete the following files/folders: (let me know if you fail to find/delete any) C:\Documents and Settings\Thomas Ingalls\Desktop\Personal Folders\Jenn-Bell\Azureus_2.3.0.4_Win32.setup.exe C:\WINDOWS\SYSTEM32\tcprcp.dll C:\WINDOWS\SYSTEM32\uspntdll.dll Delete the contents of this folder, leaving it empty: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ C:\Documents and Settings\Thomas Ingalls\.housecall\Quarantine\ * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. * * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * * Double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts. When the tool is finished, it woud create log.txt file in the aproposfix folder. Reboot to Normal Mode & post the AproposFix log along with a fresh HJT log. Let me know how the machine is behaving now. __________________ Question - what have you done for the community today?

02-24-2006, 08:22 PM	#8 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,421 OS: N/A	Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure: CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder) Go to Start >> Run - type control sysdm.cpl,,4 & press Enter Tick on the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK DISABLE THE VIEWING OF SYSTEM FILES From Windows Explorer, go to Tools>Folder Options> View tab. Untick - Show hidden files and folder Tick - Hide file extensions for known types Tick - Hide protected operating system files Click Yes to confirm & then click OK SECURING INTERNET EXPLORER From within Internet Explorer click on the Tools menu and then click on Internet Options. Select the Security tab Click once on the Internet icon so it becomes highlighted. Select Custom Level . Change 'Download signed ActiveX controls' to Prompt Change 'Download unsigned ActiveX controls' to Disable Change 'Initialize and script ActiveX controls not marked as safe' to Disable Change 'Installation of desktop items' to Prompt Change 'Launching programs and files in an IFRAME' to Prompt Change 'Navigate sub-frames across different domains' to Prompt When all these changes have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button. Select OK to exit the Internet Properties page. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. FIREWALL Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here. Microsoft Windows Update Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SPYBOT - SEARCH & DESTROY Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here AD-AWARE Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. Google Toolbar - Get the free google toolbar to help stop pop up windows. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders. ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein After doing all these, your system will be optimised against future threats. It's okay to delete the Hijack This folder in a couple weeks if everything is working okay. Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

02-22-2006, 06:52 PM	#3 (permalink)
tingalls Registered User Join Date: Feb 2006 Posts: 5 OS: XP	Done. VundoFix V4.2.26 Scan started at 8:37:11 PM 2/22/2006 Listing files found while scanning.... No infected files were found. VundoFix V4.2.26 Scan started at 8:45:05 PM 2/22/2006 Listing files found while scanning.... No infected files were found. And the new hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 8:51:47 PM, on 2/22/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\THOMAS~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet F2 - REG:system.ini: UserInit=userinit.exe N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js) N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [mswspl] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/12...v6/brix6ie.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://iuware-web001.uits.indiana.e...t/iftwclix.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_5/controls/ybrequest.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB O16 - DPF: {72133CC5-DE1E-42FE-B8B0-93D2C6C3472E} (FillerX Class) - http://www.formatta.com/download/pffloader.cab O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/controls/YBUICtrl.cab O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...03/mcfscan.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

02-24-2006, 04:43 PM	#7 (permalink)
tingalls Registered User Join Date: Feb 2006 Posts: 5 OS: XP	Done. Found and deleted all of the indicated files and emptied the housecall and spybot folders. Nothing's popped up yet in the minute or so since rebooting in normal mode which has not been the case. Here are the logs. Am I clean? Logfile of HijackThis v1.99.1 Scan saved at 6:39:30 PM, on 2/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\hkcmd.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Microsoft IntelliPoint\point32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe C:\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.mozilla.org/start/"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js) N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Thomas Ingalls\Application Data\Mozilla\Profiles\default\mbldy99r.slt\prefs.js) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [mswspl] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 5\PopupStopper.exe" O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - https://iuware-web001.uits.indiana.e...t/iftwclix.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_5/controls/ybrequest.cab O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB O16 - DPF: {72133CC5-DE1E-42FE-B8B0-93D2C6C3472E} (FillerX Class) - http://www.formatta.com/download/pffloader.cab O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/controls/YBUICtrl.cab O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/A...ler/dwnldr.cab O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...trol_v1-32.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...03/mcfscan.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE Log of AproposFix v1.1 ********** Running from directory: C:\Documents and Settings\Thomas Ingalls\Desktop\aproposfix ******** Registry entries found: [HKEY_LOCAL_MACHINE\Software\CvXl8AH4eX35] @="u0GGcDDOPPOPPQPG20tuxrOPPOeRPykpfqyuPGMGH2AVUP1F6J2FGPKA6FL1.JQGMG" "Device"="\\\\.\\secRSVP" "DriverPath"="C:\\WINDOWS\\system32\\drivers\\wmirxdav.sys" "DriverName"="ScssApp" "HideUninstallerName"="C:\\Program Files\\Ipofiles\\traauthz.exe" "HDll"="C:\\WINDOWS\\system32\\inisesrv.dll" "ServerAddress"="adchannel.contextplus.net" "LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html" "PartnerId"="WB.OLD" "InstallationId"="{H476504a-28d4-2b27-4f73-170b3c1c9c6b}" "PageFiltering"=dword:00000001 "ClientName"="C:\\Program Files\\Ipofiles\\msrtstat.exe" "AutoUpdater"="C:\\WINDOWS\\system32\\skel_mtf.exe" "Version"="2.0.131" "LastAURestoreMsgTS"="2006:02:24-22:40:59:375" ********** Removing hidden service: Service ScssApp removed. Removing hidden folder:

02-25-2006, 04:32 AM	#9 (permalink)
tingalls Registered User Join Date: Feb 2006 Posts: 5 OS: XP	You can mark as resolved. Very much appreciate your help.