Help downloading Ad-Aware SE Personal

[AMEI]

I have been having the same problem as one of the other posters to this forum. I am getting the antivirus and winfixer popups as well. I ran Ad-Aware SE Personal which I had download a few weeks ago. Part way through the scan it crashed the computer. I thought the Ad-Aware SE Personal was corrupted maybe. So, when I rebooted the computer, I uninstalled it and tried to download it from the download.com site. It says it downloaded the software after I clicked on the download button, but I just got the "Did you know information bar" window popup. When I said OK, it said thank you for downloading the software; but the software is nowhere to be found on the desktop. Any ideas on what I should do? I also tried to download it several times with the same result. In addition, a popup occured from a unwanted site after I clicked the next download attempt.

I would go the the HiJackThis forum here. It sounds like to me you have some bad spyware on your PC.

[Horse]

Hi AMEI

Please create a folder at C:\HJT or another permanent location of your choice and download. HijackThis to the folder you created. This program will help us determine if there is any malware on your computer.

Before going any further, follow the link in my signature to Microbell's 5 Step Process and carry out the instructions. Once you have completed the applicable steps -

1. Double-click on the file you just downloaded.
2. If it gives you an intro screen, Select - Do a system scan and save a logfile.
3. If you don't get the intro screen, Press Scan and then click on Save log.
4. Post the HiJackThis log file, including the header information, back into this thread.

_________________________________________________

[AMEI]

Hi HORSE -

I ran Hijackthis scan and saved the following log as you requested.

Thanks!!

AMEI...
-----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:18:39 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\paprport\pptd40nt.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...l4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Searchalot.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-gbg.global.lmco.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: WTLHelper Object - {6D33B121-5C4C-4450-9D1F-7B67085CC199} - C:\WINDOWS\system32\vtstu.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: EH Reminder.lnk = C:\Program Files\EH Reminder\EH.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Notify Check.lnk = C:\Program Files\Lewe\NotifyPlus\Notify.exe
O4 - Global Startup: Register.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\Register.exe
O4 - Global Startup: Wallpaper Changer.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

AMEI....

[Ried]

Hello AMEI,

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

• Open Windows Defender.
• Click on Tools, General Settings.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

Also disable Spybot TeaTimer:

• Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
• On the left hand side, Click on Tools
• Then click on the Resident Icon in the List
• Uncheck "Resident TeaTimer" and OK any prompts.
• Restart your computer.

********************************

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt

---------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

---------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

---------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint
Viewpoint Manager

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...l4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Searchalot.com
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: WTLHelper Object - {6D33B121-5C4C-4450-9D1F-7B67085CC199} - C:\WINDOWS\system32\vtstu.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll

Click 'Fix Checked' and close HijackThis.

---------------------------

Delete the following Folder if it still exists.

C:\Program Files\Viewpoint

---------------------------

Reboot into Normal Mode.

---------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

**A box may appear asking you for a Password, click 'Cancel'

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

In your next reply, please include the following:

vundofix.txt
Panda results
New HijackThis log

********************************

**While you are waiting for a review of these logs, update your Sun Java. The infection you have is known to exploit the vulnerability in your outdated version.

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
3. If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
4. Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
5. If you are unable to update you can manually update by going here:
   • http://www.java.com/en/download/manual.jsp
6. After the reboot, go back into the Control Panel and double-click the Java Icon.
7. Under Temporary Internet Files, click the Delete Files button.
8. There are three options in the window to clear the cache - Leave ALL 3 Checked
   • Downloaded Applets
     Downloaded Applications
     Other Files
9. Click OK on Delete Temporary Files Window
   Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
10. Click OK to leave the Java Control Panel.

After you have successfully downloaded and installed the update, please uninstall Java\j2re1.4.2 via the Add/Remove panel.

[AMEI]

Reid,

When I tried to get into safemode last week I had a problem. When it gives me the login screen in safe mode, it will accept the login, but then I just get a black screen with the safemode titles as the bottom. No way to navigate into My Computer or do anyting else in safemode. Because of this, someone said I might have to "repair" the operating system. If I run the OS disk to repair (the system was preloaded with Windows XP home when I originally bought it over a year ago), I am afraid that it will wipe out all my files. Any advice to walk me through to see if safemode will start properly or if I can avoid going into safemode at all?

Thanks
AMEI

[Ried]

Hi AMEI,

Let's break this into stages, remove what we can and see if you regain functionality within Safe Mode.

Please copy this page to Notepad since you will not have any browsers open while you are carrying out these instructions. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.


Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.

• Open Windows Defender.
• Click on Tools, General Settings.
• Scroll down and uncheck Turn on real-time protection (recommended).
• After you uncheck this, click on the Save button and close Windows Defender.

Also disable Spybot TeaTimer:

• Run Spybot-S&D in Advanced Mode. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
• On the left hand side, Click on Tools
• Then click on the Resident Icon in the List
• Uncheck "Resident TeaTimer" and OK any prompts.
• Restart your computer.

********************************

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt

-------------------------

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

1. Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
2. Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

**A box may appear asking you for a Password, click 'Cancel'

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
• Click on see report. Then click Save report

In your next reply, please include the following:

vundofix.txt
Panda results
New HijackThis log

********************************

**While you are waiting for a review of these logs, update your Sun Java. The infection you have is known to exploit the vulnerability in your outdated version.

Updating Java and Clearing Cache

1. Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
2. It will say "Java Plug-in" under the icon.
3. If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
4. Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
5. If you are unable to update you can manually update by going here:
   • http://www.java.com/en/download/manual.jsp
6. After the reboot, go back into the Control Panel and double-click the Java Icon.
7. Under Temporary Internet Files, click the Delete Files button.
8. There are three options in the window to clear the cache - Leave ALL 3 Checked
   • Downloaded Applets
     Downloaded Applications
     Other Files
9. Click OK on Delete Temporary Files Window
   Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
10. Click OK to leave the Java Control Panel.

[AMEI]

Ried,

Here are the logs as you requested:
--------------------------------------
vundofix.txt

VundoFix V4.2.45

Checking Java version...

Scan started at 810 PM 4/3/2006

Listing files found while scanning....

C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\utstv.tmp

C:\WINDOWS\SYSTEM32\utstv.bak1
C:\WINDOWS\SYSTEM32\utstv.bak2
C:\WINDOWS\SYSTEM32\utstv.tmp
C:\WINDOWS\SYSTEM32\utstv.ini
C:\WINDOWS\SYSTEM32\utstv.ini2
C:\WINDOWS\SYSTEM32\vtstu.dll
C:\WINDOWS\SYSTEM32\utstv.ini2
C:\WINDOWS\SYSTEM32\utstv.bak2
C:\WINDOWS\SYSTEM32\utstv.tmp
C:\WINDOWS\SYSTEM32\utstv.ini
C:\WINDOWS\SYSTEM32\utstv.ini2
C:\WINDOWS\SYSTEM32\vtstu.dll
Attempting to delete C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\vtstu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\utstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.bak2
C:\WINDOWS\system32\utstv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\utstv.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\utstv.tmp
C:\WINDOWS\system32\utstv.tmp Has been deleted!

Performing Repairs to the registry.
Done!
-------------------------------------------------------
Panda Results:

Incident Status Location

Spyware:spyware/virtumonde Not disinfected C:\WINDOWS\SYSTEM32\mllml.dll
Spyware:spyware/marketscore Not disinfected C:\WINDOWS\SYSTEM32\rk.bin
Adware:adware/cws Not disinfected C:\Documents and Settings\Abe Meilich\Favorites\Health
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Abe Meilich\Cookies\abe meilich@adultfriendfinder[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Abe Meilich\Cookies\abe meilich@com[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Abe Meilich\Cookies\abe meilich@stats1.reliablestats[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[a.as-us.falkag.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.spywarestormer.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.hc2.humanclick.com/hc/18386044]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.com.com/]
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.target.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.atwola.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.did-it.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[18386044]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000326.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000395.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000400.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000402.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000924.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0001264.~]
Virus:W32/Bagle.BK.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Price.cpl]
Virus:W32/Bagle.BE.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Price.com]
Virus:W32/Bagle.BK.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[price.cpl]
Virus:W32/Bagle.BE.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[price.scr]
Virus:W32/Bagle.BK.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Joke.cpl]
Virus:W32/Bagle.BE.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Joke.com]
Virus:W32/Bagle.BE.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Price.scr]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Abe Meilich\Cookies\abe meilich@adultfriendfinder[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Abe Meilich\Cookies\abe meilich@com[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Abe Meilich\Cookies\abe meilich@stats1.reliablestats[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\mllml.dll
--------------------------------------------------------------------------

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:01:35 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\paprport\pptd40nt.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...l4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Searchalot.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-gbg.global.lmco.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: EH Reminder.lnk = C:\Program Files\EH Reminder\EH.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Notify Check.lnk = C:\Program Files\Lewe\NotifyPlus\Notify.exe
O4 - Global Startup: Register.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\Register.exe
O4 - Global Startup: Wallpaper Changer.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe
----------------------------------

Thanks for looking into this!

AMEI

[Ried]

Hi AMEI,

Copy these instructions to Notepad for reference as you will not have any browsers open.

We'll continue in Normal Mode. Please let me know of any problems you ran into while performing these steps.

Download KillBox (it's important that you get version v2.0.0.175)

Download CWShredder and run it. Click on 'I Agree' and check for updates. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

*****************************************************

**Disconnect from the internet.**

*****************************************************

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint
Viewpoint Manager

---------------------------

Run a scan in HijackThis. 'Check' each of the following if they still exist:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Link...l4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Searchalot.com
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Click 'Fix Checked' and close HijackThis.

---------------------------

Launch KillBox.exe & select the following options:

• Delete on Reboot
• All files (if available)

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\SYSTEM32\mllml.dll
C:\WINDOWS\SYSTEM32\rk.bin

Go to the File menu, and choose Paste from Clipboard
*Click on the dropdown menu next to Full Path of File to Delete field.
*Verify that the filenames you pasted are found there.

Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click Yes at the 'Delete on Reboot' prompt. Click No at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, download and run missingfilesetup.exe. Then try Killbox again.

---------------------------

Delete the following folders:

C:\Documents and Settings\Abe Meilich\Favorites\ Health
C:\Program Files\ Viewpoint <-- Do NOT delete this folder yet if you were unable to Uninstall from Add/Remove

C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Lo cal Folders\Trash <-- Empty the contents of this folder.

---------------------------

Clear Mozilla Firefox cookies:
Open the Mozilla Browser, (you do not need to be online to do this) Click Tools>Options>Privacy>Cookies>Clear

Clear Internet Explorer Cookies:
Launch Internet Explorer>Tools>Internet Options>Delete Cookies

---------------------------

Reboot your system. Run another online scan at Panda and post the results here along with a new HijackThis log.

Try Safe Mode now. Are you able to navigate?

[AMEI]

Hi RIED!

Well, I have followed all your detailed instructions. Incidentally I was able to get into safemode!!! I ran Spybot and CW Shredder in safemode with no hits! Yeah! I also removed all the Thunderbird and Mozilla folders fom my application area under Documents and Settings because I no longer use those programs at all. So that got rid of all the virus and trojans coming up on the Pandascan (log show below). I will try to run panda scan again tomorrow to ensure all is well.

I have attached the HIJACKthis log as well below.

I still cannot download the Ad_Aware SE Personal Edition. It does not give me an error message. It just says thank you for downloading Ad-Aware but nothing is on my desktop? Any suggestions?

No more popups are showing up since I did everything on your last posting. What a relief!

--------------------------

Incident Status Location

Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[stat.onestat.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.servedby.advertising.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[a.as-us.falkag.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.www.myaffiliateprogram.com/]
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.spywarestormer.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.hc2.humanclick.com/hc/18386044]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.com.com/]
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.target.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.atwola.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[.did-it.com/]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[18386044]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Mozilla\Firefox\Profiles\z3fdqfc2.default\cookies.txt[]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000326.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000395.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000400.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000402.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0000924.~]
Virus:Trj/Citifraud.A Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[~0001264.~]
Virus:W32/Bagle.BK.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Price.cpl]
Virus:W32/Bagle.BE.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Price.com]
Virus:W32/Bagle.BK.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[price.cpl]
Virus:W32/Bagle.BE.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[price.scr]
Virus:W32/Bagle.BK.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Joke.cpl]
Virus:W32/Bagle.BE.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Joke.com]
Virus:W32/Bagle.BE.worm!CME-245 Not disinfected C:\Documents and Settings\Abe Meilich\Application Data\Thunderbird\Profiles\qooupc64.default\Mail\Local Folders\Trash[Price.scr]
---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:41:35 PM, on 4/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\paprport\pptd40nt.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-ffax.global.lmco.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy-gbg.global.lmco.com:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Iomega Automatic Backup 1.0.1] C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: EH Reminder.lnk = C:\Program Files\EH Reminder\EH.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Notify Check.lnk = C:\Program Files\Lewe\NotifyPlus\Notify.exe
O4 - Global Startup: Register.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\Register.exe
O4 - Global Startup: Wallpaper Changer.lnk = C:\Program Files\AzureBay\AzureBay Screen Saver\WPChanger.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/...6/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by16fd.bay16.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/...16/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: IomegaAccess - Iomega Corporation - C:\WINDOWS\System32\IomegaAccess.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

------------------------
Thanks for your continuing help!!

AMEI

[Ried]

Hi AMEI,

Quote:

It just says thank you for downloading Ad-Aware but nothing is on my desktop? Any suggestions?

Please, do not take offense, but I have to ask...When you click on the download now, a smaller box should appear asking if you want to Run or Save the file. When you click Save, another box will appear asking where you want to save it. Is 'Desktop' showing in the Save In box at the top?

Also, look to the top of the webpage, just below the address bar in IE. Is there a thin, pale yellow bar that says ‘To help protect your security, Internet Explorer blocked this site from downloading files to your computer. Click here for options… If so, click on it and choose ‘Download File’

Any luck?

[AMEI]

Hi RIED!

OK. I did not take offense. Yes the typical popup blocker would ask if I want to download the file. But in this case, it has acted differently than I have ever seen it done. When I click to download, a popup window indicates the question "Did you notice the Information Bar". In the past I have gone to the Information Bar and did a download. In this case, there was no information bar present. When I preseed OK on this popup, it says thank you for downloading. End of story. No file downloaded. I am perplexed to say the least?

Thanks :)
AMEI

[AMEI]

One more thing, I ran Panda scan again today (in normal mode) and found 3 more cookies that were idenitified as spyware. I manually removed them. What I did not remove was the following:

ncident Status Location

Adware:adware/powerstrip Not disinfected

What is this and what should I do with it?

Thanks,

AMEI

[Ried]

Hi AMEI,

This entry showing in Panda, Adware:adware/powerstrip Not disinfected is a reference to orphaned registry entry. Without a file associated, it will do no harm. It's better to leave it than root around in the registry.

Back to AdAware-- I was able to recreate your scenario when I linked directly to their .exe download. I received the same as you, where I got a message that the dowload completed, yet nothing had happened.

Since I'm not sure how you linked to Download.com for AdAware, try using this link and see if you can download it successfully. It will appear to be the same page you've tried before, but try it again coming in this way.

[AMEI]

Hi RIED,

That link gave me the same problem??

I investigated further on the download .com site. I was directed to:

http://www.download.com/3002-8022_4-...l?tag=pdp_prob

There I was directed to download from the software-files.download.com site (use their link which is really long). That worked for the download!!

Problem solved, albeit through the back door.
-------------------------------------
First of all let me profusely thank you for your guidance. If it weren't for people like yourselves on this forum, we neophytes would be lost! Incidentally, I am an informations systems engineer and even this is tough for me!

Last, are there general directions exclusive of using HIJACKTHIS that I as a watchful PC owner I should practice using some of the programs you suggest. I guess I have to practice safe sex here on the Internet!

Thanks so much!!

AMEI

[Ried]

Hi,

Let's make sure the IE's ActiveX settings will allow you to access the page properly:

Tools>Internet Options>Security tab

Ensure that default level of medium is in effect.

Also, on the Advanced tab, ensure that "Reuse windows for launching shortcuts" is checked.

Have you tried to download any other programs from other sites--as a test--or is it just the AdAware download that is giving you trouble?

[AMEI]

Hi RIED,

See my previous message. Didn't know you were online. I will also look at what you suggest.

Thanks!!

[AMEI]

Hi RIED,

I checked all the setting you mentioned and they were already set to the values you indicated.

AMEI

[Ried]

Hi AMEI,

LOL. I have all kinds of information for you to keep you a bit safer out there.

Let's take care of the finishing touches and I'll have helpful links following that.

Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Keep my computer up to date"
*Under Settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

***Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

More information and free downloads are available at the following links:

Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. This is a self-extracting .ZIP file, and save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list, by typing 2
Then return to the main menu.
Select option #4 - Add the old porn sites domain, by typing 4

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

[AMEI]

OK! Did everything. Is there anything that needs to be done to move this thread out of active status?

AMEI