I've gone through all of the steps (ie Spybot, Antivirus program, etc.), but I'm still having some problems on my computer. Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:14:14 PM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\hpdll\hpdll.exe
C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\mcm\mcm3.exe
C:\WINDOWS\system32\system.mcm
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Tman.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Katy\Desktop\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [MCM3] C:\WINDOWS\mcm\mcm3.exe
O4 - HKLM\..\Run: [Microsoft Windows Application] system.mcm
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Y356RXZ6i] hosiscon.exe
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com/plugins/downloads/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4F96CE92-09EA-49D3-B478-F1892F6DCB6D} - http://imgfarm.com/images/nocache/funwebpr...etup1.0.0.6.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/02f770ae1d6266...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

I'd really appreciate your help. Thanks!

This post has been edited by csinclair21: Jul 23 2005, 07:07 PM

Here are the Panda results:

Incident Status Location

Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Spyware:spyware/betterinet No disinfected HKEY_CURRENT_USER\SOFTWARE\IN3RD
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Adware:adware/topmoxie No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
Adware:Adware/TheLocalSearch No disinfected C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]


And here is the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:36:40 AM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\Tman.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Documents and Settings\Katy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com/plugins/downloads/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

Reboot in SAFE MODE. (How to boot in Safe Mode...)

Open up NOTEPAD, then copy & paste the follwing codes (starting from Windows Registry Editor Version 5.00). Save it on desktop as fixme.reg. Choose file types as ALL FILES.


Now double-click fixme.reg then allow it to merge to the system.

Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):

• C:\WINDOWS\SYSTEM32\fiz1
• C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]

Finally, Empty Recycle Bin


Open Ad-aware and do a full scan. Remove all it finds.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Post again another log to look at.

This post has been edited by kool808: Aug 1 2005, 05:34 AM

Here is the latest Panda log:


Incident Status Location

Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Adware:adware/topmoxie No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
Adware:Adware/TheLocalSearch No disinfected C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]

Please download WebRoot SpySweeper from [ HERE ] (It's a 2 week trial):

• Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
• Double-click the file to install it as follows:
  • Click "Next", read the agreement, Click "Next"
  • Choose "Custom" click "Next".
  • Leave the default installation directoy as it is, then click "Next".
  • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
  • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
  • Finally, click "Install"
• Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

Ran panda scan again to see the difference.

Here are the Spy Sweeper results:

********
9:03 PM: |··· Start of Session, Tuesday, August 02, 2005 ···|
9:03 PM: Spy Sweeper started
9:03 PM: Sweep initiated using definitions version 510
9:03 PM: Starting Memory Sweep
9:07 PM: Memory Sweep Complete, Elapsed Time: 00:04:08
9:07 PM: Starting Registry Sweep
9:07 PM: Found Adware: ebates money maker
9:07 PM: HKU\S-1-5-21-1078081533-764733703-854245398-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
9:07 PM: Found Adware: flashtrack
9:07 PM: HKCR\interface\{28168cce-5310-4f12-ab58-9da99a55aaeb}\ (8 subtraces) (ID = 126531)
9:07 PM: HKLM\software\classes\interface\{28168cce-5310-4f12-ab58-9da99a55aaeb}\ (8 subtraces) (ID = 126537)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 126538)
9:07 PM: HKLM\software\fen\ (7 subtraces) (ID = 126539)
9:07 PM: HKLM\software\flen\ (1 subtraces) (ID = 126540)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 126562)
9:07 PM: Found Adware: hotbar
9:07 PM: HKU\S-1-5-20\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
9:07 PM: HKU\S-1-5-19\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
9:07 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\shellbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127585)
9:07 PM: HKU\S-1-5-20\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
9:07 PM: HKU\S-1-5-19\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
9:07 PM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {b195b3b3-8a05-11d3-97a4-0004aca6948e} (ID = 127587)
9:07 PM: Found Adware: drsnsrch.com hijack
9:07 PM: HKU\S-1-5-21-1078081533-764733703-854245398-1003\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
9:07 PM: Found Adware: xoff
9:07 PM: HKCR\appid\x2ff.dll\ (1 subtraces) (ID = 147661)
9:07 PM: HKCR\appid\{3dec0d48-84da-483e-afd5-40619c00d465}\ (1 subtraces) (ID = 147662)
9:07 PM: HKCR\appid\{9b3c2a48-df6a-4364-9961-1c80f0ba83b3}\ (1 subtraces) (ID = 147663)
9:07 PM: HKCR\appid\{d1bb73a7-5d35-48c9-94c0-d0bd624b0f5d}\ (1 subtraces) (ID = 147664)
9:07 PM: HKCR\interface\{b0c5e55e-53df-4966-90a0-912d34cb64a7}\ (8 subtraces) (ID = 147668)
9:07 PM: HKCR\interface\{d9e03192-5849-4ae2-b76a-204820e6860c}\ (8 subtraces) (ID = 147669)
9:07 PM: HKCR\interface\{f9a74e8c-c877-46fd-8487-782b5868296e}\ (8 subtraces) (ID = 147670)
9:07 PM: HKLM\software\classes\appid\x2ff.dll\ (1 subtraces) (ID = 147671)
9:07 PM: HKLM\software\classes\appid\{3dec0d48-84da-483e-afd5-40619c00d465}\ (1 subtraces) (ID = 147672)
9:07 PM: HKLM\software\classes\appid\{9b3c2a48-df6a-4364-9961-1c80f0ba83b3}\ (1 subtraces) (ID = 147673)
9:07 PM: HKLM\software\classes\appid\{d1bb73a7-5d35-48c9-94c0-d0bd624b0f5d}\ (1 subtraces) (ID = 147674)
9:07 PM: HKLM\software\classes\interface\{b0c5e55e-53df-4966-90a0-912d34cb64a7}\ (8 subtraces) (ID = 147678)
9:07 PM: HKLM\software\classes\interface\{d9e03192-5849-4ae2-b76a-204820e6860c}\ (8 subtraces) (ID = 147679)
9:07 PM: HKLM\software\classes\interface\{f9a74e8c-c877-46fd-8487-782b5868296e}\ (8 subtraces) (ID = 147680)
9:07 PM: HKLM\software\classes\typelib\{1d1a0231-322a-4024-a282-697bf547970e}\ (9 subtraces) (ID = 147681)
9:07 PM: HKLM\software\classes\typelib\{a981f8f6-4505-4670-8d38-96a3e894d5be}\ (9 subtraces) (ID = 147682)
9:07 PM: HKLM\software\classes\typelib\{ef38c329-15f7-4a32-85b1-1d5770ff5f48}\ (9 subtraces) (ID = 147683)
9:07 PM: HKLM\software\classes\x1ff.xbrowse\ (5 subtraces) (ID = 147685)
9:07 PM: HKCR\typelib\{1d1a0231-322a-4024-a282-697bf547970e}\ (9 subtraces) (ID = 147693)
9:07 PM: HKCR\typelib\{a981f8f6-4505-4670-8d38-96a3e894d5be}\ (9 subtraces) (ID = 147694)
9:07 PM: HKCR\typelib\{ef38c329-15f7-4a32-85b1-1d5770ff5f48}\ (9 subtraces) (ID = 147695)
9:07 PM: HKCR\x1ff.xbrowse\ (5 subtraces) (ID = 147697)
9:07 PM: Found Adware: bonzi buddy
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\inprocserver32\ (2 subtraces) (ID = 169266)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\miscstatus\1\ (1 subtraces) (ID = 169267)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\progid\ (1 subtraces) (ID = 169268)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\programmable\ (ID = 169269)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\toolboxbitmap32\ (1 subtraces) (ID = 169270)
9:07 PM: HKCR\clsid\{86e5d750-02eb-11d3-a464-0080c858f182}\version\ (1 subtraces) (ID = 169271)
9:07 PM: HKCR\clsid\{aaa403c6-03b3-11d3-a465-0080c858f182}\ (5 subtraces) (ID = 169272)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 449649)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\ (8 subtraces) (ID = 449650)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\0\ (2 subtraces) (ID = 449652)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\0\win32\ (1 subtraces) (ID = 449653)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\flags\ (1 subtraces) (ID = 449655)
9:07 PM: HKCR\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\helpdir\ (1 subtraces) (ID = 449657)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\ (9 subtraces) (ID = 465256)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\ (8 subtraces) (ID = 465257)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\0\ (2 subtraces) (ID = 465259)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\0\win32\ (1 subtraces) (ID = 465260)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\flags\ (1 subtraces) (ID = 465262)
9:07 PM: HKLM\software\classes\typelib\{1bd49631-ae36-42f4-a37b-ca7f53146821}\1.0\helpdir\ (1 subtraces) (ID = 465264)
9:07 PM: Registry Sweep Complete, Elapsed Time:00:00:31
9:07 PM: Starting Cookie Sweep
9:07 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:07 PM: Starting File Sweep
9:07 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
9:07 PM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
9:08 PM: Found Adware: comet cursor
9:08 PM: c:\windows\system\comet (71 subtraces) (ID = -2147481225)
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
9:11 PM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
9:14 PM: cscore.dll (ID = 53519)
9:14 PM: csip.dll (ID = 53536)
9:14 PM: skinui.dll (ID = 53643)
9:14 PM: comet.exe (ID = 53483)
9:14 PM: Found Adware: begin2search
9:14 PM: greenmovie.ico (ID = 51033)
9:14 PM: Found Trojan Horse: trojan backdoor ppdoor
9:14 PM: ljyszpza.dll (ID = 79780)
9:18 PM: flenclean.exe (ID = 61079)
9:21 PM: c:\program files\flen (3 subtraces) (ID = -2147480975)
9:21 PM: flenclean.exe (ID = 61079)
9:24 PM: flencpy_inst.exe (ID = 61081)
9:28 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\katy\ntuser.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\katy\ntuser.dat.log". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\katy\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
9:28 PM: Warning: Failed to open file "c:\documents and settings\katy\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
9:29 PM: Warning: Failed to open file "c:\documents and settings\katy\application data\mozilla\firefox\profiles\9x27hq7a.default\parent.lock". The process cannot access the file because it is being used by another process
9:29 PM: File Sweep Complete, Elapsed Time: 00:21:54
9:29 PM: Full Sweep has completed. Elapsed time 00:26:40
9:29 PM: Traces Found: 357
10:26 PM: Removal process initiated
10:27 PM: Quarantining All Traces: ebates money maker
10:27 PM: Quarantining All Traces: flashtrack
10:27 PM: Quarantining All Traces: hotbar
10:27 PM: Quarantining All Traces: drsnsrch.com hijack
10:27 PM: Quarantining All Traces: xoff
10:27 PM: Quarantining All Traces: bonzi buddy
10:27 PM: Quarantining All Traces: comet cursor
10:27 PM: Quarantining All Traces: begin2search
10:27 PM: Quarantining All Traces: trojan backdoor ppdoor
10:27 PM: Removal process completed. Elapsed time 00:00:40
********
9:02 PM: |··· Start of Session, Tuesday, August 02, 2005 ···|
9:02 PM: Spy Sweeper started
9:03 PM: |··· End of Session, Tuesday, August 02, 2005 ···|


And here is the latest Panda log:


Incident Status Location

Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/wintools No disinfected Windows Registry
Adware:Adware/TheLocalSearch No disinfected C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll]

Search for the jobs:

Open notepad and copy and paste next in it:



Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.

Doubleclick on findjobs.bat and post the content of the txtfile you get in your next reply.
(NOTE: You can delete this file afterwards.)

Post a new HijackThis log

Here are the results from findjob.bat:

Volume in drive C has no label.
Volume Serial Number is 07D1-031B

Directory of C:\WINDOWS\tasks

03/27/2001 06:40 PM <DIR> .
03/27/2001 06:40 PM <DIR> ..
09/01/2002 06:05 PM 65 DESKTOP.INI
08/02/2005 06:26 PM 6 SA.DAT
08/03/2005 11:00 PM 502 Tune-up Application Start.job
08/04/2005 10:36 PM 354 PCHealth Scheduler for Data Collection.job
08/04/2005 10:40 PM 410 Symantec NetDetect.job
5 File(s) 1,337 bytes

Directory of C:\Documents and Settings\Katy\Desktop


And here's the latest HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:45:14 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Tman.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Katy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VisualElementFXad] C:\WINDOWS\VisualElementFXad\VisualElementFXad.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Kerberos Authentication.lnk = C:\WINDOWS\Tman.exe
O4 - Global Startup: DellTouch Programmable Keys.lnk = C:\Program Files\Netropa\Multimedia Keyboard\MMKbCfg7.exe
O4 - Global Startup: Wireless PCI Card Configuration Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11CFG.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Dell Home - {DE9F7D9E-71AE-44E3-8DE5-D741FBFD7B86} - http://www.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: DigiChat Applet - http://host8.digichat.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com/plugins/downloads/mpeg4img.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094263816921
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...409/mcfscan.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


Thanks!

alright your logs looks clean now. Just a few more steps then we are done.

Reboot in Safe Mode.

Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):

• C:\WINDOWS\SYSTEM32\fiz1 <-- whole folder
• C:\WINDOWS\Downloaded Program Files\sdmtb.cab[sdmtb.dll] <-- or anything similar to it, when in doubt of the file please do NOT delete.

Finally, Empty Recycle Bin

Reboot back to NORMAL MODE.

Have an online scan with panda again then post the results.

How is your system running now?

Sorry I haven't replied in a few days, I've been on vacation. Now that I'm back, there is a really big problem. When I left for vacation, the last time I used my computer it was running great (internet included). When I returned and turned my computer on (it had been off the entire time), however, the internet does not work at all. When I open Firefox, it brings up a page that looks like a Comcast page, and it tells me to disable all firewalls, pop-up blockers, and anti-virus software. It then asks me to download and install a file at the bottom of the page. I'm sure that this is not an actual Comcast page, but it will not allow me to go anywhere on the web (I have to enter this reply from another computer). A warning box pops up in Firefox that says that the certificate does not match the domain name (which the warning box says is actsvr.comcastonline.com, even though it still shows www.msnbc.com in the browser). What can I do to fix this?

Thanks!

This post has been edited by csinclair21: Aug 11 2005, 05:04 AM

Great how was the vacation, did you have fun! Where did you hang out? Hope you enjoyed

Block all outside/inside attempts using your firewall.

Have another hijackthis log, post it here again.

Vacation was great, I went up to Northern Michigan for a few days, and the weather was perfect.

Now to the serious stuff. How can I block all outside/inside attempts with Windows Firewall? That's the firewall that I've been using, and I don't see an option for that. I won't be able to post a HijackThis log until I am able to get onto the Internet on my computer. Any suggestions would be great. Thanks.

This tool will bring your internet connection back.




++++++++++++++++
Once you gain your connections, a possible connection attempt may occur. Your firewall by default is active and will block any bad attempts. This will display a pop-up message stating that an attempt tries to access a connection, now just press BLOCK to any malicious attempts. If it is legitimate then just allow it.

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.