advise on log

[sbelgard]

I was told to post my HJT log here for help.

Please advise. Sonya

Logfile of HijackThis v1.99.1
Scan saved at 3:51:34 PM, on 4/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\TEMP\win212.tmp.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=168.94.74.68:8080
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\BellSouth\BellSouth Internet Security\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\BellSouth\BellSouth Internet Security\FreeBHOR.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [BellSouth Internet Security] "C:\Program Files\BellSouth\BellSouth Internet Security\Freedom.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm415BXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.af.mil
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...6/sdcregie.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/appli...ClientUtil.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133538884687
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {93EFDAB8-8800-4896-B428-76F943140E1B} (Setup Class) - http://www.consumerinput.com/panel/g...ne/dcainst.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[AbstractEpiphany]

Hi and welcome to TSF!

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.

[AbstractEpiphany]

Hello again sbelgard, and thank you for your patience.

Did you add *.af.mil to your Trusted Zone?

Before You Begin...
Please print out this page or copy it to Notepad to help you carry out the following instructions. Make sure to work through the fixes in the exact order they are mentioned below, and if there's anything that you don't understand, please ask any questions you may have before proceeding with the fix. You should not have any browsers or windows open, other than the programs mentioned in the fix, when you are following the procedures below.

Disable SpySweeper
Please disable Webroot SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable Webroot SpySweeper:

• Open SpySweeper
• Go to the Options -> Program Options
• Uncheck Load at Windows Startup
• Click Shields and uncheck all items there
• Uncheck Home Page Shield.

And then close SpySweeper.

View Hidden and System Files
Open My Computer. Select the View menu and click Folder Options. Select the View Tab then select Show hidden files and folders. Uncheck Hide protected operating system files (recommended), and make sure to uncheck Hide file extensions for known file types. Click OK.

Download Tools
Please download Cleanup! or use this alternate link if the main link does not work and install it. You will use this later.
NOTE: Do not run this program if you have XP Professional 64 bit edition. If you are unsure as to whether or not you have a 64 bit version of XP, please download and run this tool: http://www.kellys-korner-xp.com/regs...p_whichcpu.exe

I see you already have Ewido Anti-malware installed on your system. Please make sure it is updated to the latest definitions:

• Open Ewido
• On the left hand side of the main screen,. click Update
• Then click on the Start Update button. The update will start and a progress bar will show the updates being installed.
• After it has finished, close Ewido, we will use it later.

If you have problems with the updater, you can use the Ewido manual updater instead of the automatic updater.

Download Host.zip to your desktop. We'll use it later.

CWShredder
Download CWShredder and run it. Click Check for Update. Click on 'I Agree' button if you agree. Click on Fix (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Restart to Safe Mode
Restart your computer, and repeatedly tap the F8 key (or the appropriate key for your system) until the menu appears. Select Safe Mode from that menu.

Uninstall Programs
Click Start -> Control Panel -> Add/Remove Programs and uninstall the following programs (if they exist):

MyWebSearch

Do not reboot if prompted by the uninstaller.

Fix HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm415BXUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/appli...ClientUtil.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll

Please remember to close all other windows (including browsers) then click Fix checked.

Delete Files
Delete the following files indicated in RED and folders indicated in BLUE if they still exist.

C:\WINDOWS\SYSTEM32\winzzc32.dll

Let me know if you can't find or delete it.

CleanUp!
NOTE: Cleanup deletes EVERYTHING out of temporary folders and does not make backups. If you have any files in your temporary folders you want to keep, move them now!

Open Cleanup! by double-clicking the icon on your desktop (or from Start -> All Programs). Set the program up as follows:

• Click Options
• Move the slider button down to Custom CleanUp!
• Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
• Uncheck the following:
  • Scan local drives for temporary files

Click OK, Press the CleanUp! button to start the program. Do not reboot when prompted.

Ewido
Close all open windows and please do not open any new windows during the course of this scan. Open Ewido.

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans, Ewido is finding cases of false positives. You will need to step through the process of cleaning files one-by-one.
  • If Ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.
• Close Ewido

NOTE: The Ewido scan will require at least an hour to run.

Restart to Normal Mode
Restart your system normally.

MVPS Hosts File
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

• From your Desktop right-click hosts.zip and select Extract All from the menu.
• Click Next, click Next, select the option Show Extracted files, click Finish. This will open the newly created hosts folder on your desktop.
• Double-click on the included mvps.bat file. This will rename the existing hosts file to hosts.mvp, then it will copy the included updated hosts file to the correct location on your machine.

Scan with Panda ActiveScan
Perform an online scan with Internet Explorer with Panda ActiveScan (click on the Free To Use ActiveScan located on the top right hand corner).

1. Click Check Now and a "pop up" window will appear. Please ensure that your pop up blocker doesn't block it!
2. Enter your e-mail address, country, and state & click Scan Now. The download of the 8 MB Panda's ActiveX control will now take place.

Begin the scan by selecting My Computer

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on See report then click Save report

NOTE: You don't need to remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Please turn off the real time scanners of any antivirus programs on your system while performing the online scan.

Logfiles Required
The Ewido logfile
The Panda ActiveScan report
A new HiJackThis log

And please advise as to how your system is running.

[sbelgard]

HIJACKTHIS LOG:


Logfile of HijackThis v1.99.1
Scan saved at 1:35:12 AM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\BellSouth\BellSouth Internet Security\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\BellSouth\BellSouth Internet Security\FreeBHOR.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [BellSouth Internet Security] "C:\Program Files\BellSouth\BellSouth Internet Security\Freedom.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.af.mil
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...6/sdcregie.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133538884687
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {93EFDAB8-8800-4896-B428-76F943140E1B} (Setup Class) - http://www.consumerinput.com/panel/g...ne/dcainst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

ACTIVESCAN LOG:
Incident Status Location

Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32a.sys
Potentially unwanted tool:application/funweb Not disinfected C:\PROGRAM FILES\FunWebProducts
Potentially unwanted tool:application/myway Not disinfected C:\PROGRAM FILES\MyWay
Potentially unwanted tool:application/mywebsearch Not disinfected C:\PROGRAM FILES\MyWebSearch
Potentially unwanted tool:application/need2find Not disinfected C:\PROGRAM FILES\Need2Find
Spyware:spyware/rxtoolbar Not disinfected Windows Registry
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL
Potentially unwanted tool:Application/FunWeb Not disinfected C:\unzipped\hijackthis\backups\backup-20060420-214924-159.inf
Spyware:Cookie/Kazaa Networks Not disinfected D:\WINDOWS\Cookies\default@desktop.kazaa[1].txt
Spyware:Cookie/go Not disinfected D:\WINDOWS\Cookies\default@go[1].txt
Spyware:Cookie/Atwola Not disinfected D:\WINDOWS\Cookies\default@atwola[1].txt
Spyware:Cookie/Gorillanation Not disinfected D:\WINDOWS\Cookies\default@ads.gorillanation[1].txt
Spyware:Cookie/888 Not disinfected D:\WINDOWS\Cookies\default@888[1].txt
Spyware:Cookie/Rightmedia Not disinfected D:\WINDOWS\Cookies\default@rightmedia[1].txt
Spyware:Cookie/Atwola Not disinfected D:\WINDOWS\Cookies\default@atwola[2].txt
EWIDO REPORT:

--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:08:35 AM, 4/21/2006
+ Report-Checksum: 8F31D4E8

+ Scan result:

D:\RECYCLED\NPROTECT\00000003.TXT -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
D:\RECYCLED\NPROTECT\00000004.TXT -> TrackingCookie.Web-stat : Cleaned with backup
D:\RECYCLED\NPROTECT\00000005.TXT -> TrackingCookie.Com : Cleaned with backup


::Report End

Please advise.

Also, All queries were ran with system restore disabled. Is this the correct thing to do? It has been turned off since before the infection.

Thanks,
Sonya

[sbelgard]

Yes, I believe I did add *.af.mil to trusted sites.

[AbstractEpiphany]

Hello again Sonya!

Please re-enable system restore until the disinfection of your system is finished. This way, you do have a backup if you find reason to use it, just in case--we'll clear the system restore points once your system is clean, to give you a fresh restore point and to purge the infected restore points.

Also, I noticed you've run a system scan with Bitdefender's online scan. However, although that was a nice idea, it would be appreciated if you would follow the malware removal process precisely as outlined in the fix provided, and resist running any extra scans until your system is clean, please--as they may make the removing the existing malware more difficult, especially if I don't know what the scan found or modified, or how you dealt with the results, if any.

Did you by any chance happen to save the results from Bitdefender's scan, if there were any? If so, can you please post them here?

Turn on System Restore
Turn on System Restore by clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

Restart to Safe Mode
Restart your computer, and repeatedly tap the F8 key (or the appropriate key for your system) until the menu appears. Select Safe Mode from that menu.

Uninstall Programs
Click Start -> Control Panel -> Add/Remove Programs and uninstall the following programs (if they exist):

FunWebProducts
Need2Find
MyWay
MyWebSearch

Do not reboot if prompted by any of the uninstallers.

Delete Files
Delete the following files indicated in RED and folders indicated in BLUE if they still exist.

C:\WINDOWS\smdat32a.sys
C:\PROGRAM FILES\FunWebProducts\
C:\PROGRAM FILES\MyWay\
C:\PROGRAM FILES\MyWebSearch\
C:\PROGRAM FILES\Need2Find\

Let me know if you can't find or delete any of them.

Also, empty this folder:
D:\WINDOWS\Cookies\
by deleting all of the files it contains.

Restart to Normal Mode
Restart your system normally.

Scan with Kapersky
Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Answer Yes when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button and configure to:
  • Scan using the following Anti-Virus Database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Logfiles Required
The Kapersky log

And please advise as to how your system is running.

[sbelgard]

Here is the scan log from Kapersky. I ran the bitdefenders scan after I read the instructions on your site. I did not realise that it would hamper things.
2 questions before i copy the scan results. The smdat32a.sys files shows up in the C/Restore/? Should this be there? Also, Should I empty the recycle bin after I delete files?

Do you need a new hijack this file?
Sonya

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, April 22, 2006 19:00:27
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 23/04/2006
Kaspersky Anti-Virus database records: 189518
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\

Scan Statistics:
Total number of scanned objects: 158106
Number of viruses found: 12
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 4754 sec

Infected Object Name - Virus Name
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0077.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0078.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0079.BIN/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0079.BIN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0079.BIN/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0079.BIN/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0079.BIN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0079.BIN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0079.BIN Infected: not-a-virus:AdWare.Win32.WebHancer
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0080.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.h
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe/WISE0081.BIN Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k
C:\Program Files\Consumer Input\uninstall.exe/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n
C:\Program Files\Consumer Input\uninstall.exe Infected: not-a-virus:RiskTool.Win32.PsKill.n
C:\RECYCLER\S-1-5-21-1715567821-1757981266-839522115-1003\Dc4\bar\1.bin\MWSOEMON.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch
C:\RECYCLER\S-1-5-21-1715567821-1757981266-839522115-1003\Dc5\bar\1.bin\N2PLUGIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l
C:\RECYCLER\S-1-5-21-1715567821-1757981266-839522115-1003\Dc5\bar\1.bin\NPND2FN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.o
D:\WINDOWS\SYSTEM\bde3dref3K7.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.35684
D:\WINDOWS\pkzw400s.exe/pkzw/PKZIP for Windows/pkzw400s.msi/Data.Cab/F2383_tsinst.msi/Data.Cab/F1073_TSAdBot.exe Infected: not-a-virus:AdWare.Win32.TimeSink
D:\WINDOWS\pkzw400s.exe/pkzw/PKZIP for Windows/pkzw400s.msi/Data.Cab/F2383_tsinst.msi/Data.Cab/F1076_tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSinc
D:\WINDOWS\pkzw400s.exe/pkzw/PKZIP for Windows/pkzw400s.msi/Data.Cab/F2383_tsinst.msi/Data.Cab Infected: not-a-virus:AdWare.Win32.TimeSinc
D:\WINDOWS\pkzw400s.exe/pkzw/PKZIP for Windows/pkzw400s.msi/Data.Cab/F2383_tsinst.msi Infected: not-a-virus:AdWare.Win32.TimeSinc
D:\WINDOWS\pkzw400s.exe/pkzw/PKZIP for Windows/pkzw400s.msi/Data.Cab Infected: not-a-virus:AdWare.Win32.TimeSinc
D:\WINDOWS\pkzw400s.exe/pkzw/PKZIP for Windows/pkzw400s.msi Infected: not-a-virus:AdWare.Win32.TimeSinc
D:\WINDOWS\pkzw400s.exe Infected: not-a-virus:AdWare.Win32.TimeSinc

Scan process completed.

[AbstractEpiphany]

Hello again Sonya! My apologies for the delay.

The smdat32a.sys files shows up in the C/Restore/? Should this be there?
The file smdat32a.sys is being found in system restore's cache, which is because you turned system restore back on while the file was still on your system, as instructed. It will be removed when we flush system restore's cache at the end of this fix.

Also, Should I empty the recycle bin after I delete files?
It definitely wouldn't hurt to do so, to clean out the malware that collects there throughout the fix.

Do you need a new hijack this file?
Yes please--your last HijackThis log was clean, and we're going to tidy up loose ends presented by Kapersky just now, and then all should be clean--but it doesn't hurt to check.

Restart to Safe Mode
Restart your computer, and repeatedly tap the F8 key (or the appropriate key for your system) until the menu appears. Select Safe Mode from that menu.

Uninstall Programs
Click Start -> Control Panel -> Add/Remove Programs and uninstall the following programs (if they exist):

Consumer Input

Do not reboot if prompted by the uninstaller.

Delete Files
Delete the following files indicated in RED and folders indicated in BLUE if they still exist.

D:\WINDOWS\SYSTEM\bde3dref3K7.dll
C:\Documents and Settings\M\My Documents\My Received Files\clipartfree.exe
D:\WINDOWS\pkzw400s.exe
C:\Program Files\Consumer Input\

Let me know if you can't find or delete them.

Restart to Normal Mode
Restart your system normally.

Logfiles Required
A fresh HijackThis log

Are you having any further problems?

[sbelgard]

I have posted the latest Hijackthis log at the end of this response. My computer seems to be running a little faster once windows has loaded. The problem I am having is when you restart windows (not complete shutdown) it freezes on the password page. You have to press the restart button on the case or turn the system completely off to get the computer to reboot all the way.

Can I have spysweeper load at startup again or should I wait till we clean the cache/system restore files?

Thanks,

Logfile of HijackThis v1.99.1
Scan saved at 6:41:47 PM, on 4/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BellSouth\BellSouth Internet Security\Freedom.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BellSouth Accelerator Technology\propelac.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\BellSouth\BellSouth Internet Security\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\BellSouth\BellSouth Internet Security\FreeBHOR.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_16_0.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\BellSouth Accelerator Technology\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [BellSouth Internet Security] "C:\Program Files\BellSouth\BellSouth Internet Security\Freedom.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\BellSouth Accelerator Technology\pac-image.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.af.mil
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/u...6/sdcregie.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1133538884687
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[AbstractEpiphany]

Hey Sonya!

Please hold off on re-enabling Spysweeper until we're finished fixing your system--we wouldn't want it to interfere with any changes that still have to be made, which is why it was disabled in the first place.

How long has this restart problem been occuring? Has it just recently started?

Please go to the Run box on the Start Menu and type in or copy/paste sfc /scannow. (there is a space between sfc and /)

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem. You may be prompted to insert the Windows XP install disc, so have it handy.

Let me know the results of that, and whether the problem is still occuring after that finishes.

[sbelgard]

I do not have the XP disk.

My computer was custom built and I was not given the disks. What do I need to do to be able to use this function? The problem with restart has been going on for a while. I know it happened before Hurricane Katrina in 8/05. Everything down here is now stated as "before Katrina" and "after Katrina."

What is the next step in the malware removal process?

Sonya

[AbstractEpiphany]

Great work, you're now malware free!

However, about that restarting problem--I'm going to have to reference you to the Windows XP forum here at TSF, where they'll be happy to help you figure that particular problem out, as we've ruled out the possibility of it being caused by or related to any malicious software. Please tell them what you've told me about the problem, and let them know that your system has been cleared of malware in the HJT forum.

Just a few last steps, and then you're done here.

Re-enable SpySweeper

• Open SpySweeper
• Go to the Options -> Program Options
• Check Load at Windows Startup
• Click Shields and check all items there
• Check Home Page Shield.

And then close SpySweeper.

Hide Hidden Files

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Uncheck the Show hidden files and folders option.
• Check the Hide file extensions for known types option.
• Check the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Reset System Restore
To turn off System Restore click Start > Right Click My Computer > Properties. Click the System Restore tab and Check "Turn off System Restore" or "Turn off System Restore on all drives" Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this then Click OK.

Turn on System Restore by Clicking Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

This will create a new Restore Point.

Windows Updates
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft Windows Update and download all the critical updates to help prevent possible re-infection.

Please verify that you have the recent KB912919 patch for the Windows Metafile Exploit--it is available from Microsoft.

How to Stay Malware-Free
In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

TonyKlein's How Did I Get Infected in the First Place?
The Anti-Spyware Tutorial
Making Internet Explorer Safer

This is a good time to set up protection against further attacks. You need an antivirus that is continually updated, a good firewall, a spyware blocker such as Spyware Blaster, and a real time spyware program such as Spyware Guard, to prevent spyware intrusions. Using IE-Spyad, another excellent program that places over 4000 websites and domains in the IE Restricted list, or using a feature full alternative browser such as Opera or Firefox, will help prevent attempts to infect your system. All of the programs above have good free versions available. However, be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often contain malware.

More information and downloads are available at the following links:
Spyware Blaster
Spyware Guard
IE-Spyad
Mozilla Firefox
Opera

One Last Note
Please respond to this topic one last time so we can mark this topic as resolved.

Happy computing!

[sbelgard]

Hello

When I went to re-activate the shields in Spysweeper, I got this error message in the host file shields. It says hosts file to large. Any ideas?

I will post the restart problem to the Windows XP forum.

Thanks,
Sonya