Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bundle Of Malware, Incl. Spydawn3.1; Plus Strange Vista Problem, On Friend's New Laptop


  • Please log in to reply
11 replies to this topic

#1 coldfrozen

coldfrozen

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 07 March 2007 - 02:13 PM

Hi,
Hard to know where to start. I'm trying to straighten out my friend's new laptop, which has several problems, which may or may not be related, but which did start at the same time. She has an Acer, with Windows Vista, which I've never even seen until today. She accidentally downloaded a file on Myspace, and it installed six things, including the following:
Spydawn 3.1
Video Access Activex Object 2.07
Public Messenger ver 2.03
System Alert Popup
Internet Security Add-On
Internet Explorer Security Plugin 2006

I also find these in the running processes:
isamini.exe
isamntr.exe
pmmnt.exe
pmsnrr.exe

I've searched these, and found a lot of different methods for fixing the first set, and methods for fixing the processes, but I've not seen them listed together anywhere, to say that they are all from the same cause.

And that's not all, there's one more thing which may be connected to those, or may be its own third thing. When you start the computer, as soon as Windows starts, it begins a loop saying something like, "Windows has encountered a problem" (not sure exactly what the message is, but it's something to that effect), followed by "Windows Explorer is restarting." And it continues to loop, meanwhile allowing you only maybe five seconds to work with the Windows Start menu, before it blanks out and starts again. It does this for a while, maybe ten or fifteen minutes of looping, and then it finally gives up, and drops the Start menu completely. I'm left with whatever windows I managed to get open in between loops. Things still seem to work, but there's no Start menu with which to navigate the computer. So, I'm having to find creative ways to get things opened while working to fix this, using Vista which I'm unfamiliar with. It's been a major pain.

SO, I intended to do the cleanup that you guys recommend doing before posting any HJT log, but I can barely get around as it is; so I was hoping that I could post a log, and maybe see if we can get this thing back under control a little bit, without the clean up steps. I really wanted to go about this the right way if I'm going to trouble you for help, but I'm limping...no crawling through this process right now.

So, I found you guys by searching the first set of items above, and found you'd helped someone else with the same trouble. He had posted a HJT log, and was directed to post a log created by SUPER AntiSpyware. I set out to get the same two logs to post, but HJT gave me a couple of error messages along the way:

1. "For some reason your system denied write access to the Hosts file..."

2. "An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #75 - Path/File access error
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 6.00.1904
MSIE version: 7.0.6000.16386
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan."

And so I don't know if the log is good or no good because of those errors, because honestly I don't know what they're telling me. But whatever it is worth, here, finally, is the HJT log:
---------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:07:46 PM, on 3/7/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\SpyDawn\SpyDawn.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Windows\Explorer.exe
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\Users\JENNIFEFR\AppData\Local\Temp\Temp2_hijackthis.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: (no name) - {A57EE9D7-0534-496A-B2B0-E95866D0C1B0} - (no file)
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video Access ActiveX Object\isadd.dll
O2 - BHO: XBTP01621 - {D0285C32-F09A-49bd-BA67-FDAB0A58675E} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video Access ActiveX Object\iesplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [SpyDawn] C:\Program Files\SpyDawn\SpyDawn.exe /h
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
----------------------------------------------------------------------------------------------------------------------------

And then I ran the SUPER AntiSpyware program. The other guy you helped was directed to do the fixes, and then post the log, but I haven't done the fixes yet because I wanted to make sure I didn't follow advice that was not intended for me. Kind of like taking medicine prescribed for someone else is a bad idea; I figured it is possible that you might not advise me to do the fixes until directed. So, here then is the log created by SAS:

---------------------------------------
SUPERAntiSpyware Scan Log
Generated 03/07/2007 at 12:36 PM
Application Version : 3.5.1016
Core Rules Database Version : 3195
Trace Rules Database Version: 1205
Scan type : Complete Scan
Total Scan Time : 00:46:16
Memory items scanned : 811
Memory threats detected : 7
Registry items scanned : 6736
Registry threats detected : 61
File items scanned : 57086
File threats detected : 112
Trojan.Media-Codec
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISAMNTR.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISAMNTR.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISAMINI.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISAMINI.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\PMMNT.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\PMMNT.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\IESPLUGIN.DLL
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\IESPLUGIN.DLL
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISADD.DLL
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISADD.DLL
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\PMSNRR.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\PMSNRR.EXE
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\Implemented Categories
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\InprocServer32
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\InprocServer32#ThreadingModel
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32#ThreadingModel
HKU\S-1-5-21-711563804-2321881686-2758471976-1000\Software\Internet Security
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#ProductionEnvironment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#Publisher
C:\Program Files\Video Access ActiveX Object\iesuninst.exe
C:\Program Files\Video Access ActiveX Object\isunst.exe
C:\Program Files\Video Access ActiveX Object\ot.ico
C:\Program Files\Video Access ActiveX Object\pmunst.exe
C:\Program Files\Video Access ActiveX Object\ts.ico
C:\Program Files\Video Access ActiveX Object\uninst.exe
C:\Program Files\Video Access ActiveX Object
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{84938242-5C5B-4A55-B6B9-A1507543B418}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#user32.dll [ C:\Program Files\Video Access ActiveX Object\isamntr.exe ]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#rare [ C:\Program Files\Video Access ActiveX Object\pmsnrr.exe ]
C:\Windows\Prefetch\ISAMINI.EXE-A5A6FB9C.pf
C:\Windows\Prefetch\ISAMNTR.EXE-3956FDC0.pf
C:\Windows\Prefetch\PMMNT.EXE-75CA34CE.pf
C:\Windows\Prefetch\PMSNRR.EXE-2E1F27CC.pf
Malware.SpyDawn
C:\PROGRAM FILES\SPYDAWN\SPYDAWN.EXE
C:\PROGRAM FILES\SPYDAWN\SPYDAWN.EXE
[SpyDawn] C:\PROGRAM FILES\SPYDAWN\SPYDAWN.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\SpyDawn.exe
HKCR\CLSID\{AED6F6A3-183C-488D-9F90-23DB99F56E7F}
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\edxbzni
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\InprocServer32
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\InprocServer32#ThreadingModel
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\jzijfwghpsJn
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\mzmdrVomf
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\nvzxfsofkb
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\SrbgfuadGpwdp
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\tszscNYwosrE
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\vkMhggam
HKLM\Software\SpyDawn
HKLM\Software\SpyDawn#refid
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#NSIS:StartMenuDir
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#Publisher
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#SpyDawn [ C:\Program Files\SpyDawn\SpyDawn.exe /h ]
C:\Program Files\SpyDawn\blacklist.txt
C:\Program Files\SpyDawn\ignored.lst
C:\Program Files\SpyDawn\Lang\English.ini
C:\Program Files\SpyDawn\Lang
C:\Program Files\SpyDawn\Logs
C:\Program Files\SpyDawn\msvcp71.dll
C:\Program Files\SpyDawn\msvcr71.dll
C:\Program Files\SpyDawn\Quarantine
C:\Program Files\SpyDawn\sd.dat
C:\Program Files\SpyDawn\sd.ini
C:\Program Files\SpyDawn\SpyDawn.url
C:\Program Files\SpyDawn\uninst.exe
C:\Program Files\SpyDawn
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyDawn
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SpyDawn 3.1.lnk
C:\Users\JENNIFEFR\Desktop\SpyDawn.lnk
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Start Menu\SpyDawn 3.1.lnk
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPYDAWN\SPYDAWN 3.1.LNK
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPYDAWN\UNINSTALL SPYDAWN 3.1.LNK
C:\USERS\ALL USERS\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPYDAWN\SPYDAWN 3.1.LNK
C:\USERS\ALL USERS\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPYDAWN\UNINSTALL SPYDAWN 3.1.LNK
C:\USERS\JENNIFEFR\APPDATA\LOCAL\TEMP\AVE523.EXE
C:\Windows\Prefetch\SPYDAWN.EXE-3B7DCFA2.pf
Trojan.Smitfraud Variant
HKLM\Software\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}
HKCR\CLSID\{AED6F6A3-183C-488D-9F90-23DB99F56E7F}
HKCR\CLSID\{AED6F6A3-183C-488D-9F90-23DB99F56E7F}\InProcServer32
HKCR\CLSID\{AED6F6A3-183C-488D-9F90-23DB99F56E7F}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEPLXSS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{aed6f6a3-183c-488d-9f90-23db99f56e7f}
Adware.Tracking Cookie
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@perf.overture[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@www.ez-tracks[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@doubleclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@spydawn[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@2o7[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@ez-tracks[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@mediaplex[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@atdmt[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@webtrendslive.bbandt[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@fastclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@atwola[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@www.pestcapture[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@advertising[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@apmebf[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@2o7[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@a.websponsors[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@a.websponsors[3].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@adbrite[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@adinterax[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@adprofile[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@adrevolver[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ads.adbrite[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ads.pointroll[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@advertising[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@atdmt[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@atwola[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@azjmp[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@bluestreak[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@casalemedia[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@cb.adprofile[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@citi.bridgetrack[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@click.cashengines[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@clickbank[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@coolsavings[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@doubleclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ehg-adteractive.hitbox[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ehg-equifax.hitbox[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ehg-publiciswest.hitbox[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@enhance[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ez-tracks[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@eztracks.aavalue[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@fastclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@hitbox[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@hotbar[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@icc.intellisrv[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@jumps.ez-tracks[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@media.adrevolver[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@mediaplex[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@overture[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@partner2profit[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@perf.overture[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@precisionclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@questionmarket[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@realmedia[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@revsci[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@stats.theharrisonventure[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@stats1.reliablestats[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@tacoda[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@tribalfusion[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@webtrendslive.bbandt[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@www.ez-tracks[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@www.googleadservices[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@www.googleadservices[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@zedo[2].txt
Trojan.Security Toolbar
C:\ProgramData\Microsoft\Windows\Start Menu\Online Security Guide.url
C:\ProgramData\Microsoft\Windows\Start Menu\Security Troubleshooting.url
C:\Users\Public\Desktop\Security Troubleshooting.url
C:\Users\Public\Desktop\Online Security Guide.url
BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE
C:\Windows\Prefetch\BEARSHARE.EXE-D62DC8F8.pf
-----------------------------------------------------------------------------------------------------------------------------
And that's everything I've got. I feel that I've asked too much; I don't know if this is a typically-sized call for help, or if it's a Mega call for help, but it seems huge to me. If you guys would be willing to give me a hand, I'd greatly, greatly, GREATLY appreciate it.

No need for an immediate response, though, because I have to get some sleep. I've been awake since early yesterday; I work third shift, and I've pretty much put in another shift of work this morning trying to sort this thing out. So I'm already getting punchy, and if I don't stop soon I'll fall asleep and be drooling on the keyboard, and then I'll have a fourth malfunction to deal with. :thumbsup:

So, I think I've given all the details that I know to give. Thank you in advance for any help you can give.
David

BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:17 AM

Posted 07 March 2007 - 10:11 PM

Could you post a fresh Hijackthis log. Thanks.

Almost forgot

Welcome to BC :thumbsup:
Microsoft MVP Consumer Security--2007-2010

#3 coldfrozen

coldfrozen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 08 March 2007 - 08:54 AM

Hi, thanks for the welcome; and thanks for "taking my case." I feel like you're the Perry Mason to my... hopeless defendant. :thumbsup:

I checked in quickly last night before work from my own PC, but didn't have any time at all to post back or to fire up her laptop. But anyway, like I mentioned, I didn't really do anything with SUPERAntiSpyware yesterday, besides run a scan; I didn't have it quarantine or fix anything until I knew I was doing the right thing. So the logs I posted from HJT and from SAS in my original post are still the current logs. So, I'm currently running the scan again on SAS, and this time I will go ahead and have it quarantine the items found, and then I'll post the HJT log as soon as it's done.

Thanks again very much.
David

#4 coldfrozen

coldfrozen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 08 March 2007 - 11:04 AM

WOW! I've run SUPERAntiSpyware and after quarantining the bad items and rebooting, everything seems to be perfectly fine. All of the programs that were downloaded in that bundle, all the suspicious processes that were running, all of them appear to be gone; and the Window Explorer restarting loop has stopped. And you have no idea how much better that makes me feel!

Okay then, here are the new logs. Following the directions you gave to the other guy, here are the results of my SAS Scan, followed by a fresh Hijack This log. Oh, but once again, during the scan HJT gave me the error messages I mentioned earlier:

"An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #75 - Path/File access error

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 6.00.1904
MSIE version: 7.0.6000.16386
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan."

So, again, I don't know if that's a problem or not. But anyway, here are the logs:

SAS:
--------------------------------
SUPERAntiSpyware Scan Log
Generated 03/08/2007 at 09:25 AM

Application Version : 3.5.1016

Core Rules Database Version : 3195
Trace Rules Database Version: 1205

Scan type : Complete Scan
Total Scan Time : 00:53:23

Memory items scanned : 776
Memory threats detected : 6
Registry items scanned : 6739
Registry threats detected : 61
File items scanned : 57228
File threats detected : 112

Trojan.Media-Codec
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISAMNTR.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISAMNTR.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\PMSNRR.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\PMSNRR.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISAMINI.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISAMINI.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\PMMNT.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\PMMNT.EXE
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\IESPLUGIN.DLL
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\IESPLUGIN.DLL
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISADD.DLL
C:\PROGRAM FILES\VIDEO ACCESS ACTIVEX OBJECT\ISADD.DLL
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\Implemented Categories
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\InprocServer32
HKCR\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\InprocServer32#ThreadingModel
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32
HKCR\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32#ThreadingModel
HKU\S-1-5-21-711563804-2321881686-2758471976-1000\Software\Internet Security
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#ProductionEnvironment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Video Access ActiveX Object#Publisher
C:\Program Files\Video Access ActiveX Object\iesuninst.exe
C:\Program Files\Video Access ActiveX Object\isunst.exe
C:\Program Files\Video Access ActiveX Object\ot.ico
C:\Program Files\Video Access ActiveX Object\pmunst.exe
C:\Program Files\Video Access ActiveX Object\ts.ico
C:\Program Files\Video Access ActiveX Object\uninst.exe
C:\Program Files\Video Access ActiveX Object
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{84938242-5C5B-4A55-B6B9-A1507543B418}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#user32.dll [ C:\Program Files\Video Access ActiveX Object\isamntr.exe ]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#rare [ C:\Program Files\Video Access ActiveX Object\pmsnrr.exe ]
C:\Windows\Prefetch\ISAMINI.EXE-A5A6FB9C.pf
C:\Windows\Prefetch\ISAMNTR.EXE-3956FDC0.pf
C:\Windows\Prefetch\PMMNT.EXE-75CA34CE.pf
C:\Windows\Prefetch\PMSNRR.EXE-2E1F27CC.pf

Malware.SpyDawn
[SpyDawn] C:\PROGRAM FILES\SPYDAWN\SPYDAWN.EXE
C:\PROGRAM FILES\SPYDAWN\SPYDAWN.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\SpyDawn.exe
HKCR\CLSID\{AED6F6A3-183C-488D-9F90-23DB99F56E7F}
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\edxbzni
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\InprocServer32
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\InprocServer32#ThreadingModel
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\jzijfwghpsJn
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\mzmdrVomf
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\nvzxfsofkb
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\SrbgfuadGpwdp
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\tszscNYwosrE
HKCR\CLSID\{C1DF2728-8510-0773-96D8-5D0C1F27821B}\vkMhggam
HKLM\Software\SpyDawn
HKLM\Software\SpyDawn#refid
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#NSIS:StartMenuDir
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpyDawn#Publisher
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#SpyDawn [ C:\Program Files\SpyDawn\SpyDawn.exe /h ]
C:\Program Files\SpyDawn\blacklist.txt
C:\Program Files\SpyDawn\ignored.lst
C:\Program Files\SpyDawn\Lang\English.ini
C:\Program Files\SpyDawn\Lang
C:\Program Files\SpyDawn\Logs
C:\Program Files\SpyDawn\msvcp71.dll
C:\Program Files\SpyDawn\msvcr71.dll
C:\Program Files\SpyDawn\Quarantine
C:\Program Files\SpyDawn\sd.dat
C:\Program Files\SpyDawn\sd.ini
C:\Program Files\SpyDawn\SpyDawn.url
C:\Program Files\SpyDawn\uninst.exe
C:\Program Files\SpyDawn
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpyDawn
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\SpyDawn 3.1.lnk
C:\Users\JENNIFEFR\Desktop\SpyDawn.lnk
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Start Menu\SpyDawn 3.1.lnk
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPYDAWN\SPYDAWN 3.1.LNK
C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPYDAWN\UNINSTALL SPYDAWN 3.1.LNK
C:\USERS\ALL USERS\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPYDAWN\SPYDAWN 3.1.LNK
C:\USERS\ALL USERS\MICROSOFT\WINDOWS\START MENU\PROGRAMS\SPYDAWN\UNINSTALL SPYDAWN 3.1.LNK
C:\USERS\JENNIFEFR\APPDATA\LOCAL\TEMP\AVE523.EXE
C:\Windows\Prefetch\SPYDAWN.EXE-3B7DCFA2.pf

Trojan.Smitfraud Variant
HKLM\Software\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}
HKCR\CLSID\{AED6F6A3-183C-488D-9F90-23DB99F56E7F}
HKCR\CLSID\{AED6F6A3-183C-488D-9F90-23DB99F56E7F}\InProcServer32
HKCR\CLSID\{AED6F6A3-183C-488D-9F90-23DB99F56E7F}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEPLXSS.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{aed6f6a3-183c-488d-9f90-23db99f56e7f}

Adware.Tracking Cookie
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@perf.overture[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@www.ez-tracks[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@doubleclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@spydawn[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@2o7[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@ez-tracks[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@mediaplex[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@atdmt[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@webtrendslive.bbandt[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@fastclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@atwola[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@www.pestcapture[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@advertising[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\jennifefr@apmebf[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@2o7[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@a.websponsors[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@a.websponsors[3].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@adbrite[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@adinterax[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@adprofile[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@adrevolver[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ads.adbrite[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ads.pointroll[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@advertising[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@atdmt[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@atwola[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@azjmp[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@bluestreak[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@casalemedia[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@cb.adprofile[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@citi.bridgetrack[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@click.cashengines[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@clickbank[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@coolsavings[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@doubleclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ehg-adteractive.hitbox[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ehg-equifax.hitbox[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ehg-publiciswest.hitbox[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@enhance[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@ez-tracks[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@eztracks.aavalue[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@fastclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@hitbox[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@hotbar[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@icc.intellisrv[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@jumps.ez-tracks[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@media.adrevolver[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@mediaplex[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@overture[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@partner2profit[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@perf.overture[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@precisionclick[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@questionmarket[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@realmedia[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@revsci[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@stats.theharrisonventure[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@stats1.reliablestats[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@tacoda[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@tribalfusion[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@webtrendslive.bbandt[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@www.ez-tracks[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@www.googleadservices[1].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@www.googleadservices[2].txt
C:\Users\JENNIFEFR\AppData\Roaming\Microsoft\Windows\Cookies\Low\jennifefr@zedo[2].txt

Trojan.Security Toolbar
C:\ProgramData\Microsoft\Windows\Start Menu\Online Security Guide.url
C:\ProgramData\Microsoft\Windows\Start Menu\Security Troubleshooting.url
C:\Users\Public\Desktop\Security Troubleshooting.url
C:\Users\Public\Desktop\Online Security Guide.url

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE
C:\Windows\Prefetch\BEARSHARE.EXE-D62DC8F8.pf
--------------------------------------------------------------------------------------------------




And here is the fresh HJT log:
-------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:51:24 AM, on 3/8/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\Taskmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Windows\System32\notepad.exe
C:\Users\JENNIFEFR\AppData\Local\Temp\Temp2_hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: (no name) - {A57EE9D7-0534-496A-B2B0-E95866D0C1B0} - (no file)
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - (no file)
O2 - BHO: XBTP01621 - {D0285C32-F09A-49bd-BA67-FDAB0A58675E} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

-----------------------------------------------------------------------------------------------

Okay, there she is. Whether it's perfectly clean yet or not, it's already SO much better. It's not even my computer, but I'm totally thrilled.

Alright then, I'll check in later and see if you've had a chance to look it over yet. Thanks.
David

#5 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:17 AM

Posted 08 March 2007 - 04:10 PM

Sometimes SuperAnti-Spyware missing some of this infection, so lets run this scan to check. We are limited because there are still quite a few fixes that don't work on Vista :thumbsup:

Download SilentRunners.zip
Extract SilentRunners to your Desktop
Double click on SilentRunners.vbs
Follow the prompts and scan may take a few minutes.
When scan has finished, I .txt file called Startup Programs****.txt will appear on your desktop.
Please post the results from the .txt file in your next reply.
Microsoft MVP Consumer Security--2007-2010

#6 coldfrozen

coldfrozen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 09 March 2007 - 08:55 AM

Yeah, you weren't kidding when you said there are quite a few fixes that don't work on Vista. Since this thing is running smoothly again, I went back to run the programs you guys recommend running before posting for help, and several of them don't work on Vista yet. But I ran the ones that would, at least. Just FYI, since my last post I've run Ad-Aware until it came up clean, Spybot once, and McAfee AVERT Stinger once. Neither Housecall Anti Virus, Panda Anti Virus, nor Bit Defender would work on Vista. And no luck installing either of the recommended firewalls either; thought I might put one on here before giving it back to her. Oh well.

Anyway, I ran SilentRunners just now, but I didn't have it run the supplementary search that it asks about at the start. It said that it's often unnecessary and takes a "long" time; and I figured since you didn't direct me to do that part, that it probably really was unnecessary. I hope I chose correctly. Anyway, here then is the log:
-----------------------------------------------------------------------
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows Vista RC1
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS]
"****r" (unwritable string) = "(empty string)" [file not found]
"*********" (unwritable string) = "**************e" (unwritable string) [file not found]
"ehTray.exe" = "C:\Windows\ehome\ehTray.exe" [MS]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"
"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data]
"Acer Tour" = "(empty string)" [file not found]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"osCheck" = ""C:\Program Files\Norton Internet Security\osCheck.exe"" ["Symantec Corporation"]
"Acer Assist Launcher" = "C:\Program Files\Acer Assist\launcher.exe" ["Acer Inc."]
"SetPanel" = "(empty string)" [file not found]
"LManager" = "C:\PROGRA~1\LAUNCH~1\LManager.exe" ["Dritek System Inc."]
"eDataSecurity Loader" = "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" ["HiTRUST"]
"eRecoveryService" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1E8A6170-7264-4D0F-BEAE-D42A53123C75}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll" ["Symantec Corporation"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\common\yiesrvc.dll" ["Yahoo! Inc."]
{83A2F9B1-01A2-4AA5-87D1-45B6B8505E96}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ShowBarObj Class"
\InProcServer32\(Default) = "C:\Windows\system32\ActiveToolBand.dll" ["HiTRUST"]
{D0285C32-F09A-49bd-BA67-FDAB0A58675E}\(Default) = "XBTP01621"
-> {HKLM...CLSID} = "XBTP01621 Class"
\InProcServer32\(Default) = "C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll" ["IE Toolbar"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{E7DE9B1A-7533-4556-9484-B26FB486475E}" = (no title provided)
-> {HKLM...CLSID} = "Network Map"
\InProcServer32\(Default) = "C:\Windows\system32\shdocvw.dll" [MS]
"{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486}" = "IGD Property Sheet Handler"
-> {HKLM...CLSID} = "IGD Property Page"
\InProcServer32\(Default) = "C:\Windows\System32\icsigd.dll" [MS]
"{8856f961-340a-11d0-a96b-00c04fd705a2}" = "Microsoft Web Browser"
-> {HKLM...CLSID} = "Microsoft Web Browser"
\InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS]
"{3050f3d9-98b5-11cf-bb82-00aa00bdce0b}" = "MSHTML Document"
-> {HKLM...CLSID} = "MHTML Document"
\InProcServer32\(Default) = "C:\Windows\system32\mshtml.dll" [MS]
"{25336920-03f9-11cf-8fd0-00aa00686f13}" = "HTML Document"
-> {HKLM...CLSID} = "HTML Document"
\InProcServer32\(Default) = "C:\Windows\system32\mshtml.dll" [MS]
"{74246bfc-4c96-11d0-abef-0020af6b0b7a}" = "Device Manager"
-> {HKLM...CLSID} = "Device Manager"
\InProcServer32\(Default) = "C:\Windows\System32\devmgr.dll" [MS]
"{44f3dab6-4392-4186-bb7b-6282ccb7a9f6}" = "MyDocuments menu and properties"
-> {HKLM...CLSID} = "MyDocuments menu and properties"
\InProcServer32\(Default) = "C:\Windows\system32\mydocs.dll" [MS]
"{D34A6CA6-62C2-4C34-8A7C-14709C1AD938}" = "Common Places Folder"
-> {HKLM...CLSID} = "Common Places FS Folder"
\InProcServer32\(Default) = "C:\Windows\System32\shdocvw.dll" [MS]
"{865e5e76-ad83-4dca-a109-50dc2113ce9a}" = "Programs Folder and Fast Items"
-> {HKLM...CLSID} = "Programs Folder and Fast Items"
\InProcServer32\(Default) = "C:\Windows\system32\shell32.dll" [MS]
"{21ec2020-3aea-1069-a2dd-08002b30309d}" = "Control Panel"
-> {HKLM...CLSID} = "Control Panel"
\InProcServer32\(Default) = "shell32.dll" [MS]
"{25585dc7-4da0-438d-ad04-e42c8d2d64b9}" = "Client application shell extension"
-> {HKLM...CLSID} = "Client application shell extension"
\InProcServer32\(Default) = "C:\Windows\system32\shell32.dll" [MS]
"{4d5c8c2a-d075-11d0-b416-00c04fb90376}" = "Microsoft CommBand"
-> {HKLM...CLSID} = "Microsoft CommBand"
\InProcServer32\(Default) = "C:\Windows\system32\browseui.dll" [MS]
"{92337A8C-E11D-11D0-BE48-00C04FC30DF6}" = "OlePrn.PrinterURL"
-> {HKLM...CLSID} = "prturl Class"
\InProcServer32\(Default) = "C:\Windows\system32\oleprn.dll" [MS]
"{16C2C29D-0E5F-45f3-A445-03E03F587B7D}" = "group_wab_auto_file"
-> {HKLM...CLSID} = ".group shell context menu"
\InProcServer32\(Default) = "C:\Program Files\Common Files\System\wab32.dll" [MS]
"{CF67796C-F57F-45F8-92FB-AD698826C602}" = "contact_wab_auto_file"
-> {HKLM...CLSID} = ".contact shell context menu"
\InProcServer32\(Default) = "C:\Program Files\Common Files\System\wab32.dll" [MS]
"{90b9bce2-b6db-4fd3-8451-35917ea1081b}" = "Search Execute Command"
-> {HKLM...CLSID} = "CLSID_SearchExecute"
\InProcServer32\(Default) = "ExplorerFrame.dll" [MS]
"{1a184871-359e-4f67-aad9-5b9905d62232}" = "Microsoft Windows Font File Context Menu Handler"
-> {HKLM...CLSID} = "Microsoft Windows Font Context Menu Handler"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{8a7cae0e-5951-49cb-bf20-ab3fa1e44b01}" = "Microsoft Windows Font Previewer"
-> {HKLM...CLSID} = "Microsoft Windows Font Preview Handler"
\InProcServer32\(Default) = "fontext.dll" [MS]
"{BC65FB43-1958-4349-971A-210290480130}" = "Network Explorer Property Sheet Handler"
-> {HKLM...CLSID} = "Ncd Property Page"
\InProcServer32\(Default) = "C:\Windows\System32\NcdProp.dll" [MS]
"{0a4286ea-e355-44fb-8086-af3df7645bd9}" = "Windows Media Player"
-> {HKLM...CLSID} = "&Windows Media Player"
\InProcServer32\(Default) = "C:\PROGRA~1\WI4EB4~1\wmpband.dll" [MS]
"{BB6B2374-3D79-41DB-87F4-896C91846510}" = "EMDFileProperties"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "emdmgmt.dll" [MS]
"{7A0F6AB7-ED84-46B6-B47E-02AA159A152B}" = "Sync Center Simple Conflict Presenter"
-> {HKLM...CLSID} = "Simple Conflict Presenter"
\InProcServer32\(Default) = "C:\Windows\System32\SyncCenter.dll" [MS]
"{BE122A0E-4503-11DA-8BDE-F66BAD1E3F3A}" = (no title provided)
-> {HKLM...CLSID} = "Windows Anytime Upgrade"
\InProcServer32\(Default) = "C:\Windows\System32\shdocvw.dll" [MS]
"{00f20eb5-8fd6-4d9d-b75e-36801766c8f1}" = "PhotoAcqDropTarget"
-> {HKLM...CLSID} = "PhotoAcqDropTarget"
\InProcServer32\(Default) = "C:\Program Files\Windows Photo Gallery\PhotoAcq.dll" [MS]
"{91ADC906-6722-4B05-A12B-471ADDCCE132}" = "Touch Band"
-> {HKLM...CLSID} = "Touch Pointer"
\InProcServer32\(Default) = "C:\Windows\System32\TouchX.dll" [MS]
"{7D4734E6-047E-41e2-AEAA-E763B4739DC4}" = "Windows Media Player Play as Playlist Context Menu Handler"
-> {HKLM...CLSID} = "WMP Play Folder As Playlist Launcher"
\InProcServer32\(Default) = "C:\Windows\system32\wmpshell.dll" [MS]
"{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A}" = "GameUX.RichGameMediaThumbnail"
-> {HKLM...CLSID} = "RichGameMediaThumbnail Class"
\InProcServer32\(Default) = "C:\Windows\System32\gameux.dll" [MS]
"{15D633E2-AD00-465b-9EC7-F56B7CDF8E27}" = "Tablet PC Input Panel"
-> {HKLM...CLSID} = "Tablet PC Input Panel"
\InProcServer32\(Default) = "C:\Program Files\Common Files\microsoft shared\ink\TipBand.dll" [MS]
"{6b9228da-9c15-419e-856c-19e768a13bdc}" = "Windows gadget DropTarget"
-> {HKLM...CLSID} = "Windows gadget DropTarget"
\InProcServer32\(Default) = "C:\Program Files\Windows Sidebar\sbdrop.dll" [MS]
"{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" = "Windows Media Player Shop Music Context Menu Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Windows\system32\wmpshell.dll" [MS]
"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]
"{2b45bd21-71f8-4c8c-a87a-7eeb25a1a3e0}" = "EPM-PO Shell Extension"
-> {HKLM...CLSID} = "EPM-PO Shell Extensions"
\InProcServer32\(Default) = "epm-po.dll" [file not found]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
EDSshellExt\(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"
-> {HKLM...CLSID} = "eDSshlExt Class"
\InProcServer32\(Default) = "C:\Windows\system32\eDSshellExt.dll" ["HiTRUST"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NORTON~1\NORTON~1\NavShExt.dll" ["Symantec Corporation"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"ConsentPromptBehaviorAdmin" = (REG_DWORD) hex:0x00000002
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}

"ConsentPromptBehaviorUser" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Behavior Of The Elevation Prompt For Standard Users}

"EnableInstallerDetection" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Detect Application Installations And Prompt For Elevation}

"EnableLUA" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Run All Administrators In Admin Approval Mode}

"EnableSecureUIAPaths" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Only elevate UIAccess applications that are installed in secure locations}

"EnableVirtualization" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Virtualize file and registry write failures to per-user locations}

"PromptOnSecureDesktop" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Conrol: Switch to the secure desktop when prompting for elevation}

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"FilterAdministratorToken" = (REG_DWORD) hex:0x00000000
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
User Account Control: Admin Approval Mode for the Built-in Administrator Account}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Windows\Web\Wallpaper\img23.jpg"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Windows\Web\Wallpaper\img23.jpg"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\Windows\system32\Bubbles.scr" [MS]


Startup items in "JENNIFEFR" & "All Users" startup folders:
-----------------------------------------------------------

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Empowering Technology Launcher" -> shortcut to: "C:\Acer\Empowering Technology\eAPLauncher.exe 9999" ["Acer Inc."]
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]
000000000007\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 20


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}"
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}"
-> {HKLM...CLSID} = "BearShare MediaBar"
\InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" ["IE Toolbar"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{90222687-F593-4738-B738-FBEE9C7B26DF}" = "NCO Toolbar"
-> {HKLM...CLSID} = "Show Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll" ["Symantec Corporation"]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" = (no title provided)
-> {HKLM...CLSID} = "Acer eDataSecurity Management"
\InProcServer32\(Default) = "C:\Windows\system32\eDStoolbar.dll" ["HiTRUST"]
"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}" = (no title provided)
-> {HKLM...CLSID} = "BearShare MediaBar"
\InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" ["IE Toolbar"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\common\yiesrvc.dll" ["Yahoo! Inc."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
<<H>> "{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}" = (no title provided)
-> {HKLM...CLSID} = "BearShare MediaBar"
\InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" ["IE Toolbar"]


HOSTS file
----------

C:\Windows\System32\drivers\etc\HOSTS

maps: 2 domain names to IP addresses,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati External Event Utility, Ati External Event Utility, "C:\Windows\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]
Bluetooth Support Service, BthServ, "C:\Windows\system32\svchost.exe -k bthsvcs" {"C:\Windows\System32\bthserv.dll" [MS]}
CNG Key Isolation, KeyIso, "C:\Windows\system32\lsass.exe" [MS]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\CyberLink\Shared Files\RichVideo.exe"" [empty string]
eLock Service, eLockService, "C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe" [null data]
eNet Service, eNet Service, "C:\Acer\Empowering Technology\eNet\eNet Service.exe" ["Acer Inc."]
ePower Service, WMIService, "C:\Acer\Empowering Technology\ePower\ePowerSvc.exe" ["acer"]
eRecovery Service, eRecoveryService, "C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe" [null data]
eSettings Service, eSettingsService, "C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe" [null data]
Extensible Authentication Protocol, EapHost, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\System32\eapsvc.dll" [MS]}
Infrared monitor service, Irmon, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\irmon.dll" [MS]}
IP Helper, iphlpsvc, "C:\Windows\System32\svchost.exe -k NetSvcs" {(missing data)}
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
MobilityService, MobilityService, "C:\Acer\Mobility Center\MobilityService.exe -p" [null data]
Network Store Interface Service, nsi, "C:\Windows\system32\svchost.exe -k LocalService" {(missing data)}
Symantec AppCore Service, SymAppCore, ""C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe"" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Lic NetConnect service, CLTNetCnService, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon" ["Symantec Corporation"]
TCP/IP NetBIOS Helper, lmhosts, "C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted" {(missing data)}
Windows Event Log, Eventlog, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {(missing data)}
WLAN AutoConfig, Wlansvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\wlansvc.dll" [MS]}
XAudioService, XAudioService, "C:\Windows\system32\DRIVERS\xaudio.exe" ["Conexant Systems, Inc."]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 68 seconds, including 18 seconds for message boxes)
-----------------------------------------------------------------------------------------------------







And just for good measure, I'll add a fresh Hijack This Log. I don't know if you need it at this point or not, but just in case.

------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:33:03 AM, on 3/9/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Windows\system32\taskeng.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\JENNIFEFR\AppData\Local\Temp\Temp3_hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: (no name) - {A57EE9D7-0534-496A-B2B0-E95866D0C1B0} - (no file)
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - (no file)
O2 - BHO: XBTP01621 - {D0285C32-F09A-49bd-BA67-FDAB0A58675E} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--------------------------------------------------------------------------------------------------

And there's where we are now.
Alrighty then, I await your masterful advice. :thumbsup:
Thanks,
David

#7 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:17 AM

Posted 09 March 2007 - 10:23 AM

Hijackthis is running from a Temp Directory, please extract/Unzip it to a permanent place etc C:\Program Files. Then you can fix these

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O2 - BHO: (no name) - {A57EE9D7-0534-496A-B2B0-E95866D0C1B0} - (no file)
O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - (no file)

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...


Also, i would recommend uninstalling Bearshare Media Toolbar. It comes bundled with Bearshare, however, you have the option on not install it. It may redirect you to some sponsered pages. see here

If you decide to remove it then

fix these with Hijackthis

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/
R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O2 - BHO: XBTP01621 - {D0285C32-F09A-49bd-BA67-FDAB0A58675E} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll


Then delete this folder

C:\Program Files\BearShare applications\BearShare MediaBar


Any question just let me know Thanks.
Microsoft MVP Consumer Security--2007-2010

#8 coldfrozen

coldfrozen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 09 March 2007 - 12:48 PM

Hi,
I've tried to get rid of the first two items you pointed out, by following your instructions, but I'm not sure if I'm doing it right, because after I click "Fix checked", it just sits there. Am I supposed to wait for a message from HJT telling me to reboot, or do I click "Fix checked" and then reboot it manually right away? After I click "fix checked" the scan list blanks out, (just the list of items found in the scan -- the program interface stays) and it doesn't really appear to be doing anything. The mouse cursor blinks into an hourglass about every, say 5 seconds, but just a very, very quick blink -- enough to look like it's trying to do something, but not enough to make me at all confident. So I waited for probably ten minutes, and nothing changed on the screen.

And oh yeah, just so you don't have to wonder, I did extract HJT to C:\Program Files\HijackThis.

One other concern I have is, I've got all the other windows closed, but am I supposed to close applications like Symantec, which are running in the taskbar?

So, after waiting a few minutes for something else to happen after clicking, "fix checked", I just tried CTRL+ALT+DEL, (I guess Vista doesn't do the automatic restart with a double press on CTRL+ALT+DEL) which brought up the options for powering down, and I clicked "Restart", and those two items still show up in a scan. And I've tried it a couple of times, each time turning off any other taskbar items that I can think of that might possibly help, still no luck. Anyway, now I'm trying it one more time and I guess I'll just wait as long as I can afford to wait, before I have to stop for the day -- which actually won't be much longer. Anyway, I'm writing this on my own PC and letting the laptop do whatever it's doing, and hope that a little more time will do the trick.

Any ideas?

#9 coldfrozen

coldfrozen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 09 March 2007 - 01:43 PM

Quick update as I'm getting ready to shut down for the day: I left it for about an hour and, no big surprise, it didn't do anything more than before. It's still there with a blank scan list, blinking an hourglass every few seconds. So, I don't know what I did wrong. So I'll check in again later.

Thanks again for all the time you're taking to help me.

D

#10 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:17 AM

Posted 09 March 2007 - 08:46 PM

Sorry for the confusion. when you reboot they should be gone. How much memory is installed on your new Vista computer?????
Microsoft MVP Consumer Security--2007-2010

#11 coldfrozen

coldfrozen
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:17 AM

Posted 12 March 2007 - 06:08 AM

Hi,
Just wanted to leave a quick note to tell you that she now has her laptop back, since it's in pretty good working order now; and I told her she could find a link to here, in her Favorites, so that she can pick up from here to get the last remnants if she wants. So in case I'm no longer needed at this point, I wanted to say thanks once more for the help. It was very much appreciated. :thumbsup:
David

#12 sjpritch25

sjpritch25

  • Security Colleague
  • 898 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:08:17 AM

Posted 12 March 2007 - 07:41 AM

Okay, i will leave this open for a few more days!!!! Your Welcome.
Microsoft MVP Consumer Security--2007-2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users