Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue Spyware- Spywareno, Spyware Quake, Perfected Security, And More...


  • This topic is locked This topic is locked
10 replies to this topic

#1 alystyn

alystyn

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 14 April 2006 - 02:19 AM

:thumbsup: Hi, please help. There is a yellow triangle icon in my task bar that keeps popping up messages about my computer being infected with adware/spyware. There was also a wierd green/red icon but Ad-Aware got rid of that - I think it was spyware quake. I have downloaded spycleaner gold, and spyware doctor, spyware doctor found stuff on scan, but won't let me fix it without paying $30 that I don't have... Anyway, I have spent 2 days now trying to get rid of this, and am at my wits end here. My computer and my internet are running as slow as slush, seriously, I am connected at .1 Kbps, normally I run at 115Kbps, this is horrible.
My dad purchased norton 2006 for me, and I can't install it, the "live update" won't work. (I'm not a kid, TMI but I'm 28) I normally use firefox, but just now switched to internet explorer in order to run a panda scan. Internet explorer is totally hijacked, with "perfected security" popping up, and "pestcontrol" and a few others...


Here is my hijack this logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:36 AM, on 4/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\sesinetd.exe
C:\WINDOWS\system32\hserver.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\Program Files\quicktime\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Nokia\Nokia PC Suite 6\OneTouchAccess.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpE720.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Spy Watcher] "C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" -S
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...tars/wtinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{552A1816-AEEE-41CB-8CB0-107FA496FA8A}: NameServer = 66.102.163.231 66.102.163.232
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - L:\MAYA\docs\wrapper.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Any and all help would be greatly appreciated!!!! :flowers:

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:14 PM

Posted 14 April 2006 - 02:33 AM

Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Click here to download System Security Suite. Extract it from the zip file into a folder.

Click here to download ewido security suite - it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Do NOT run a scan yet. Exit the program.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 alystyn

alystyn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 14 April 2006 - 04:01 PM

Thanks for responding!!!!!!!!!!!!! :thumbsup:

Ok, I installed edwido and ran the update.
I downloaded security suite and left it on my desktop untouched.
I downloaded smitfraud, and ran into problems here,
When I click on smitfraudfix.cmd I get this exact message:

Bad command or file name (six times)
Smitfraudfix V2.29

Unsupported Version!
Windows 2000/ XP Required!

Press any key to continue...

______________________________________

for the record, I have windows 2000 installed, I used to have windows ME, but changed operating systems last year due to crashes... When I type "1" in smitfraud, the program closes...

Sorry to be so helpless...

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:14 PM

Posted 14 April 2006 - 04:08 PM

Odd. OK do this. Click here to download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

Click here to download ewido security suite - it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed. Do NOT run a scan yet. Exit the program.

Click here to download Ad-Aware SE 1.06 and install' if you haven't already got it. Launch Ad-aware and click on "check for updates now" to make sure you have the latest reference file. Do NOT run a scan yet. Exit the program.

Next reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive (where your operating system is installed). You will need that log later.

Launch Ad-aware again:
  • Click "Start"
  • Select "Perform Full System scan"
  • Click "Next" to start the scan.
When the scan is finished, the screen will tell you if anything has been found.
  • Click "Next". The bad files will be listed.
  • Right click the pane and click "Select all objects" - this will put a check mark in the box at the side.
  • Click "Next" again
  • Click "OK" at the prompt "# objects will be removed. Continue?".
Exit the program.

Launch ewido again:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin (do not open any folders or open the windows control panel while the scan is in progress).
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido.

Next click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Reboot back into Normal Mode and click here to run ActiveScan.
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Paste the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log in your next reply.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 alystyn

alystyn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 14 April 2006 - 09:03 PM

ok, you are going to love me for this one, but more problems...

In safe mode -

smitfraud once again gave the same message (yes I used the second one you gave me) This time it ended the message by saying "Sorry this tool cannot be run on your system, press any key to close this window"

Ad-Aware found nothing after an hour of searching :huh:

edwino found 111 objects (only took 89 min :huh: ) here is the report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:53:23 PM, 4/14/2006
+ Report-Checksum: 625C196C

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{06CA2DA3-3A44-4FC7-8FD9-246C0F53407C} -> Adware.CoolWebSearch : Cleaned with backup
:mozilla.14:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies-1.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.24:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies-1.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.25:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies-1.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.26:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies-1.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.27:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies-1.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.36:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.37:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.38:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.39:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies-1.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.17:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.31:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.50:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.57:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.69:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.70:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.71:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.72:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.73:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.74:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.75:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.76:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.78:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup
:mozilla.79:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.80:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
:mozilla.82:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.83:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.84:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.85:C:\Documents and Settings\default\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@e-2dj6wfl4kicpgdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@e-2dj6wgkyondjelo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@e-2dj6wjkygnczgbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@e-2dj6wjl4cldjkbo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@e-2dj6wjlyupd5ido.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\Cookies\default@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\default\Local Settings\Temp\NNCLXA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@ads.link4ads[1].txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@ads.link4ads[3].txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@ads15.hyperbanner[1].txt -> TrackingCookie.Hyperbanner : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@dynaserv.ads360[1].txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@gm.preferences[1].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@preferences[2].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@rd.advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@track-star[2].txt -> TrackingCookie.Track-star : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@www.hightrafficads[1].txt -> TrackingCookie.Hightrafficads : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@www.hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Default User\Cookies\default@zero.ads360[1].txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@ads.link4ads[1].txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@ads.link4ads[3].txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@ads15.hyperbanner[1].txt -> TrackingCookie.Hyperbanner : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@dynaserv.ads360[1].txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@gm.preferences[1].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@preferences[2].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@rd.advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@track-star[2].txt -> TrackingCookie.Track-star : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@www.hightrafficads[1].txt -> TrackingCookie.Hightrafficads : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@www.hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Superman\Cookies\default@zero.ads360[1].txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@ads.link4ads[1].txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@ads.link4ads[3].txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@ads15.hyperbanner[1].txt -> TrackingCookie.Hyperbanner : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@dynaserv.ads360[1].txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@gm.preferences[1].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@hg1.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@preferences[2].txt -> TrackingCookie.Preferences : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@rd.advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@servedby.advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@track-star[2].txt -> TrackingCookie.Track-star : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@www.hightrafficads[1].txt -> TrackingCookie.Hightrafficads : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@www.hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Superman.COMPUTER\Cookies\default@zero.ads360[1].txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\Downloads\DinerDashSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\Q-bert_2005_Setup-dm[1].exe -> Adware.Trymedia : Cleaned with backup
C:\Downloads\Q-bert_2005_Setup-dm[2].exe -> Adware.Trymedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc1112.txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc1182.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc1183.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc1410.txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc320.txt -> TrackingCookie.Ads360 : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc409.txt -> TrackingCookie.Preferences : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc682.txt -> TrackingCookie.Preferences : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc94.txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc95.txt -> TrackingCookie.Link4ads : Cleaned with backup
C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc98.txt -> TrackingCookie.Hyperbanner : Cleaned with backup
C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\1D52E463-4E1C-43A4-AC17-5CC199\DA46F0F6-7561-46B9-87DA-5098C2/asm.exe -> Adware.Altnet : Cleaned with backup
C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\1D52E463-4E1C-43A4-AC17-5CC199\DA46F0F6-7561-46B9-87DA-5098C2/asmps.dll -> Adware.Altnet : Cleaned with backup
C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\8F7AD48A-999D-429C-9DE7-E03110\2DC04C01-D347-4D90-8C20-E3E2A9 -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\EB629E81-C6D1-4FBD-858B-1F3780\EDB95C55-6AC0-4D7D-B791-24DFA9 -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024\ld4575.tmp -> Not-A-Virus.Hoax.Win32.Renos.cc : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024\ld6AA9.tmp -> Not-A-Virus.Hoax.Win32.Renos.cc : Cleaned with backup
C:\WINDOWS\SYSTEM32\dfrgsrv.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\interf.tlb -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\mssearchnet.exe -> Hijacker.SpyAxe : Cleaned with backup
C:\WINDOWS\SYSTEM32\nvctrl.exe -> Hijacker.SpyAxe : Cleaned with backup
C:\WINDOWS\SYSTEM32\stickrep.dll -> Trojan.Small : Cleaned with backup


::Report End



Ok, Panda Active Scan is my next problem. It gets all the way to the "scanning your computer" page, the internext explorer window says "done but with errors on page" The scan does not progress. It has stayed at "0 files scanned' for 15 minutes now... I tried to close it, and the program had frozen, task manager couldn't close it either. Restarted computer, tried again, same problem. (I've tried this several times now) The farthest I've gotten into the scan now is 3747 files scanned, its picking up 2 spyware and 1 hijacking tool, then internet explorer freezes... good thing I have firefox!

The blinking yellow task bar alert is gone now though! :huh: :thumbsup: :flowers:

latest hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 6:03:16 PM, on 4/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\sesinetd.exe
C:\WINDOWS\system32\hserver.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\Program Files\quicktime\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\OneTouchAccess.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hpF20.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Spy Watcher] "C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" -S
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...tars/wtinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{552A1816-AEEE-41CB-8CB0-107FA496FA8A}: NameServer = 66.102.163.231 66.102.163.232
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - L:\MAYA\docs\wrapper.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

____________________________________________





lovely I know, you sent me a very helpful easy to follow list of instructions, and now I feel like an idiot since I can't follow them... and I considered myself computer savvy before this LOL :huh:

#6 alystyn

alystyn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 14 April 2006 - 11:08 PM

Got panda scan to work! Had to shut down internet connection, and then it started working... here's the log:


Incident Status Location

Adware:adware/emediacodec Not disinfected C:\WINDOWS\SYSTEM32\ncompat.tlb
Adware:adware/securityerror Not disinfected C:\WINDOWS\SYSTEM32\ot.ico
Potentially unwanted tool:application/spywarequake Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SPYWAREQUAKE
Potentially unwanted tool:Application/Processor Not disinfected C:\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\default\Desktop\Folders\Audio\SFX downloads\SmitfraudFix(2).zip[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\default\Desktop\Folders\Audio\SFX downloads\SmitfraudFix.zip[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\default\Desktop\Folders\Audio\SFX downloads\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\default\Desktop\New Folder\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\default\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\default\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\default\Local Settings\Temp\sa1.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\default\Local Settings\Temp\sa10.exe
Potentially unwanted tool:Application/SpywareQuake Not disinfected C:\Documents and Settings\default\Local Settings\Temp\saB.exe
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Default User\Cookies\default@desktop.kazaa[1].txt
Spyware:Cookie/Powerscan Not disinfected C:\Documents and Settings\Default User\Cookies\default@gammae[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Default User\Cookies\default@go[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Default User\Cookies\default@go[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Default User\Cookies\default@linkexchange[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Default User\Cookies\default@linkexchange[4].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\Default User\Cookies\default@pop.mircx[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Default User\Cookies\default@webpower[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Default User\Cookies\default@www.affiliatefuel[1].txt
Spyware:Cookie/Buzztone Not disinfected C:\Documents and Settings\Default User\Cookies\default@www.buzztone[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Superman\Cookies\default@desktop.kazaa[1].txt
Spyware:Cookie/Powerscan Not disinfected C:\Documents and Settings\Superman\Cookies\default@gammae[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Superman\Cookies\default@go[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Superman\Cookies\default@go[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Superman\Cookies\default@linkexchange[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Superman\Cookies\default@linkexchange[4].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\Superman\Cookies\default@pop.mircx[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Superman\Cookies\default@webpower[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Superman\Cookies\default@www.affiliatefuel[1].txt
Spyware:Cookie/Buzztone Not disinfected C:\Documents and Settings\Superman\Cookies\default@www.buzztone[1].txt
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@desktop.kazaa[1].txt
Spyware:Cookie/Powerscan Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@gammae[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@go[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@go[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@linkexchange[2].txt
Spyware:Cookie/LinkExchange Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@linkexchange[4].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@pop.mircx[1].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@webpower[1].txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@www.affiliatefuel[1].txt
Spyware:Cookie/Buzztone Not disinfected C:\Documents and Settings\Superman.COMPUTER\Cookies\default@www.buzztone[1].txt
Possible Virus. Not disinfected C:\Program Files\DeepUV\DeepUV.exe
Spyware:Cookie/go Not disinfected C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc412.txt
Spyware:Cookie/go Not disinfected C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc413.txt
Spyware:Cookie/Mircx Not disinfected C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc676.txt
Spyware:Cookie/WebPower Not disinfected C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc881.txt
Spyware:Cookie/Affiliate fuel Not disinfected C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc913.txt
Spyware:Cookie/Buzztone Not disinfected C:\RECYCLER\S-1-5-21-789336058-1078145449-1343024091-1000\Dc954.txt
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\Cache\3EFBEAA3d01[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\15osj6hn.default\Cache\633285D9d01[Process.exe]
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\9E8C5CC8-2C70-4E0B-B6D0-B78B5F\2E7D1001-2D1C-4BF4-8101-8DA225
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\9E8C5CC8-2C70-4E0B-B6D0-B78B5F\3CD7DDC9-91A8-4FC8-B8F4-F73081
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\9E8C5CC8-2C70-4E0B-B6D0-B78B5F\8EC6F76E-2EEE-4E98-BE46-953EE8
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\WINDOWS\Application Data\Sunbelt Software\CounterSpy\Quarantine\9E8C5CC8-2C70-4E0B-B6D0-B78B5F\D820C7FA-8517-45EE-BD64-B1DB07
Virus:W32/Disemboweler Not disinfected C:\_RESTORE\ARCHIVE\FS17.CAB[A0001323.CPY]

#7 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:14 PM

Posted 15 April 2006 - 02:30 AM

OK, let's see if we can finish it off. Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\amcompat.tlb
    C:\WINDOWS\SYSTEM32\interf.tlb
    C:\WINDOWS\SYSTEM32\nscompat.tlb
    C:\WINDOWS\SYSTEM32\__delete_on_reboot__stickrep.dll
    C:\WINDOWS\SYSTEM32\taskdir.dll
    C:\WINDOWS\SYSTEM32\taskdir.exe
    C:\WINDOWS\system32\hpF20.tmp
    C:\WINDOWS\SYSTEM32\ncompat.tlb
    C:\WINDOWS\SYSTEM32\ot.ico

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

* Download Roguescanfix from here:Download it to your desktop.
Doubleclick roguescanfix.exe
Click the 'install' button.
This will create a new folder on your desktop called Roguescanfix.
Open that folder and doubleclick: Run.bat

Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
If your firewall gives an alert, allow it instead of blocking it.
In case you still get the message BFU.exe is not present, download BFU.zip from here.
Unzip it and place BFU.exe in the Roguescanfix-folder. Then doubleclick Run.bat again.


The tool will uninstall some programs and delete related files and registrykeys.
When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
Please make sure the uninstall of the programs are finished before you click Yes to reboot.

After restarting, with only HijackThis running, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hpF20.tmp
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/wdriver...tars/wtinst.cab

Reboot again when done, rescan with HJT and post a new log here
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#8 alystyn

alystyn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 15 April 2006 - 03:46 AM

:thumbsup:

wow, what a differance!

logfile:

Logfile of HijackThis v1.99.1
Scan saved at 1:40:45 AM, on 4/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\hidserv.exe
C:\WINDOWS\system32\sesinetd.exe
C:\WINDOWS\system32\hserver.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\system32\SK9910DM.EXE
C:\Program Files\quicktime\iTunesHelper.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\quicktime\iTunesHelper.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [OEMRUNONCE] c:\windows\options\cabs\oemrun.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Spy Watcher] "C:\PROGRA~1\SPYCLE~1\SpyWatcher.exe" -S
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O12 - Plugin for .hlq: C:\PROGRA~1\INTERN~1\PLUGINS\nphcd32.dll
O12 - Plugin for .wmv: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npdsplay.dll
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/20010620...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Houdini License Server (HoudiniLicenseServer) - Side Effects Software Inc. - C:\WINDOWS\system32\sesinetd.exe
O23 - Service: Houdini License Client (HoudiniServer) - Side Effects Software Inc. - C:\WINDOWS\system32\hserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - L:\MAYA\docs\wrapper.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: RaySatxsi5_0 Server (RaySatxsi5_0Server) - Unknown owner - C:\Softimage\XSI_5.0\Application\bin\raysatxsi5_0server.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#9 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:14 PM

Posted 15 April 2006 - 04:51 AM

That looks better - how is it running now?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#10 alystyn

alystyn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 15 April 2006 - 03:34 PM

:huh: :thumbsup:

It feels like it's running faster than ever before, I bow down to your expertise.

THANK YOU :flowers: :huh:

You fixed it! :huh:

#11 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:14 PM

Posted 15 April 2006 - 04:14 PM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users