I have somehow contracted the TrojanSPM/LX (I feel like a patient), and I have tried all the cleaning tools.....hjt, ewido, adaware, spybot, etc. I reboot and all, and I browse the internet only to have more pop-ups....can someone please help me??????

thanks, i have posted my hjt log

-paul

Logfile of HijackThis v1.99.1
Scan saved at 8:38:50 PM, on 9/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Aim95\aim.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - C:\Program Files\Webshots\WSToolbar4IE.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim95\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim95\aim.exe
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://coop.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

balaskonis,

Hi, and welcome to Geeks to Go. I apologize for the wait, but the forums have been very busy.

Please do the following for me:

Go to C:\unzipped\hijackthis[1]\HijackThis.exe, and right click on hijackthis.exe. Rename it to hjt.exe, and then double click it to run Hijackthis again, and post a new log for me.

Thanks,

sari

no problem.......i appreciate the response

here is my hjt log - i haven't gotten a pop up in a while, but its really slow in the beginning when i log on, i dont know if its soemthing to do with the running processes in the system32 folder
Logfile of HijackThis v1.99.1
Scan saved at 11:03:54 PM, on 9/28/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Aim95\aim.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\unzipped\hijackthis[1]\hjt.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\Aim95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim95\aim.exe
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://coop.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

balaskonis,

There's nothing out of the ordinary in your running processes, or in your log at all that I can see. Let's look at a a more detailed log and see if I see anything there:

• Download WinPFind
• Right Click the Zip Folder and Select "Extract All"
• Extract it somewhere you will remember like the Desktop

Reboot into safe mode.

Doubleclick WinPFind.exe

• Click "Start Scan"
• It will scan the entire System, so please be patient!
• Once the Scan is Complete
  1. Go to the WinPFind folder
  2. Locate WinPFind.txt
  3. Place those results in the next post!

(You'll have to boot back into normal mode to post the results).

Thanks,

sari

here you go


WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows sometimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Logfile created on: 9/29/2006 5:15:51 PM
WinPFind v1.5.0 Folder = C:\Documents and Settings\ballasp\Desktop\WinPFind\
Microsoft Windows XP Service Pack 1 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2800.1106)

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PEC2 1/13/2001 6:40:48 PM 45001992 C:\WINDOWS\aolback.exe (America Online, Inc.)
PECompact2 8/23/2005 1:13:02 PM 15666129 C:\WINDOWS\VPTNFILE.797 ()
qoologic 8/23/2005 1:13:02 PM 15666129 C:\WINDOWS\VPTNFILE.797 ()
SAHAgent 8/23/2005 1:13:02 PM 15666129 C:\WINDOWS\VPTNFILE.797 ()
UPX! 5/10/2004 7:38:56 PM 236715 C:\WINDOWS\Key2.txt ()
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll (Trend Micro Inc.)
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe (Trend Micro Inc.)
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll ()
PECompact2 8/23/2005 1:13:02 PM 15666129 C:\WINDOWS\lpt$vpn.797 ()
qoologic 8/23/2005 1:13:02 PM 15666129 C:\WINDOWS\lpt$vpn.797 ()
SAHAgent 8/23/2005 1:13:02 PM 15666129 C:\WINDOWS\lpt$vpn.797 ()

Checking %System% folder...
PEC2 8/23/2001 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc ()
WSUD 8/23/2001 12:00:00 PM 1135616 C:\WINDOWS\SYSTEM32\ntbackup.exe (Microsoft Corporation)
WSUD 8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
winsync 8/23/2001 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu ()
PECompact2 5/3/2006 9:26:24 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
aspack 5/3/2006 9:26:24 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe (Microsoft Corporation)
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll (Microsoft Corporation)
Umonitor 8/29/2002 3:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll (Microsoft Corporation)
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe (Microsoft Corporation)

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/29/2006 5:07:04 PM S 2048 C:\WINDOWS\bootstat.dat ()
9/27/2006 5:18:50 PM H 54156 C:\WINDOWS\QTFont.qfn ()
9/29/2006 5:05:08 PM H 724992 C:\WINDOWS\SYSTEM32\config\system.LOG ()
9/29/2006 5:05:08 PM H 73728 C:\WINDOWS\SYSTEM32\config\software.LOG ()
9/29/2006 5:05:08 PM H 8192 C:\WINDOWS\SYSTEM32\config\default.LOG ()
9/29/2006 5:07:20 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG ()
9/29/2006 5:07:06 PM H 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG ()
9/1/2006 8:46:12 AM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred ()
9/1/2006 8:46:12 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\2571b4a1-39c9-49fa-9869-499f0e4df2ed ()
8/28/2006 10:26:32 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred ()
8/28/2006 10:26:32 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\50016320-abf6-45f1-abc2-094ba07aadc6 ()
9/26/2006 8:17:14 PM S 64 C:\WINDOWS\CSC\00000002 ()
9/26/2006 8:39:46 PM S 64 C:\WINDOWS\CSC\00000001 ()
8/16/2006 5:52:16 PM HS 364544 C:\WINDOWS\All Users\DRM\drmstore.hds ()
9/29/2006 5:05:02 PM H 6 C:\WINDOWS\Tasks\SA.DAT ()

Checking for CPL files...
8/24/2000 2:46:38 PM R 266240 C:\WINDOWS\SYSTEM32\Adobe Gamma.cpl (Adobe Systems, Inc.)
8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl (Microsoft Corporation)
5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl (Microsoft Corporation)
8/28/2002 11:41:28 PM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl (Microsoft Corporation)
8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl (Microsoft Corporation)
8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl (Microsoft Corporation)

Checking for Downloaded Program Files...
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - QuickTime Object - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab
{83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - GeacRevw Control - CodeBase = http://coop.mlxchange.com/Control/IRCSharc.cab
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{9FC5238F-12C4-454F-B1B5-74599A21DE47} - Webshots Photo Uploader - CodeBase = http://community.webshots.com/html/WSPhotoUploader.CAB
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in - CodeBase = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - - CodeBase = http://active.macromedia.com/flash2/cabs/swflash.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab
Internet Explorer Classes for Java - - CodeBase = file://c:\windows\SYSTEM\iejava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/30/2006 8:08:08 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
9/27/2006 10:42:24 PM 824 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk ()

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/30/2006 7:23:24 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini ()
8/24/2006 9:07:42 PM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache ()

Checking files in %USERPROFILE%\Startup folder...
5/30/2006 8:08:08 PM HS 84 C:\Documents and Settings\ballasp\Start Menu\Programs\Startup\desktop.ini ()

Checking files in %USERPROFILE%\Application Data folder...
5/30/2006 7:23:24 PM HS 62 C:\Documents and Settings\ballasp\Application Data\desktop.ini ()
1/29/2006 8:50:06 PM 1072 C:\Documents and Settings\ballasp\Application Data\dw.log ()

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

>>> Internet Explorer Settings <<<


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.msn.com/
\\Local Page - C:\windows\system32\blank.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
\\Start Page - http://www.google.com/
\\Search Bar - http://www.google.com/ie
\\Search Page - http://www.google.com
\\Local Page - C:\windows\system32\blank.htm

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
\\CustomizeSearch - http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
\\SearchAssistant - http://www.google.com/ie


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - = ()

>>> BHO's <<<
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
\{AA58ED58-01DD-4d91-8333-CF10577473F7} - Google Toolbar Helper = c:\program files\google\googletoolbar1.dll (Google Inc.)

>>> Internet Explorer Bars, Toolbars and Extensions <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - &Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUS.DLL (Yahoo! Inc.)
\{4D5C8C25-D075-11d0-B416-00C04FB90376} - &Tip of the Day = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL (Microsoft Corporation)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
\{32683183-48a0-441b-a342-7c2a440a9478} - Media Band = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\{4528BBE0-4E08-11D5-AD55-00010333D0AD} - &Yahoo! Messenger = C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESUS.DLL (Yahoo! Inc.)
\{EFA24E61-B078-11D0-89E4-00C04FC9E26E} - Favorites Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E62-B078-11D0-89E4-00C04FC9E26E} - History Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)
\{EFA24E64-B078-11D0-89E4-00C04FC9E26E} - Explorer Band = %SystemRoot%\System32\shdocvw.dll (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
\\{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)
\WebBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} - &Address = %SystemRoot%\System32\browseui.dll (Microsoft Corporation)
\WebBrowser\\{0E5CBF21-D15F-11D0-8301-00AA005B4383} - &Links = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google = c:\program files\google\googletoolbar1.dll (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\CmdMapping]
\\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - 8192 =
\\NEXTID - 8196
\\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - 8193 =
\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 8194 =
\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} - 8195 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - ButtonText: AIM = C:\Program Files\Aim95\aim.exe (America Online, Inc.)

>>> Approved Shell Extensions (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{42071714-76d4-11d1-8b24-00a0c9068ff3} - Display Panning CPL Extension = deskpan.dll ()
\\{764BF0E1-F219-11ce-972D-00AA00A14F56} - Shell extensions for file compression = ()
\\{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} - Encryption Context Menu = ()
\\{88895560-9AA2-1069-930E-00AA0030EBC8} - HyperTerminal Icon Ext = C:\WINDOWS\System32\hticons.dll (Hilgraeve, Inc.)
\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} - Taskbar and Start Menu = ()
\\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - Microsoft Url Search Hook = ()
\\{7A9D77BD-5403-11d2-8785-2E0420524153} - User Accounts = ()
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - Web Folders = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL ()
\\{59850401-6664-101B-B21C-00AA004BA90B} - Microsoft Office Binder Explode = ()
\\{B41DB860-8EE4-11D2-9906-E49FADC173CA} - WinRAR shell extension = C:\PROGRAM FILES\WINRAR\rarext.dll ()
\\{5464D816-CF16-4784-B9F3-75C0DB52B499} - Yahoo! Mail = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL (Yahoo! Inc.)
\\{FED7043D-346A-414D-ACD7-550D052499A7} - dBpowerAMP Music Converter 1 = ()
\\{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5} - dBpowerAMP Music Converter = ()
\\{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} - iTunes = C:\Program Files\iTunes\iTunesMiniPlayer.dll (Apple Computer, Inc.)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
\\{BDEADF00-C265-11d0-BCED-00A0C90AB50F} - = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL ()


>>> Context Menu Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll ()
\WinZip - {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll ()
\Yahoo! Mail - {5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRAM FILES\YAHOO!\COMMON\YMMAPI.DLL (Yahoo! Inc.)

[HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers]
\ewido anti-spyware - {8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll (Anti-Malware Development a.s.)
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll ()
\WinZip - {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll ()

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\BackGround\shellex\ContextMenuHandlers]

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers]
\WinRAR - {B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\PROGRAM FILES\WINRAR\rarext.dll ()
\WinZip - {E0D79300-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\wzshlext.dll ()

>>> Column Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

>>> Registry Run Keys <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SystemTray - C:\WINDOWS\SYSTEM32\SysTray.Exe (Microsoft Corporation)
!ewido - C:\Program Files\ewido anti-spyware 4.0\ewido.exe (Anti-Malware Development a.s.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM - C:\Program Files\Aim95\aim.exe -cnetwait.odl ()
swg - C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe (Google Inc.)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

>>> Startup Links <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Common Startup]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini ()
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe (Google)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\\Startup]
C:\Documents and Settings\ballasp\Start Menu\Programs\Startup\desktop.ini ()

>>> MSConfig Disabled Items <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^ballasp^Start Menu^Programs^Startup^Webshots.lnk
path C:\Documents and Settings\ballasp\Start Menu\Programs\Startup\Webshots.lnk
backup C:\WINDOWS\pss\Webshots.lnkStartup
location Startup
command C:\PROGRA~1\Webshots\Launcher.exe /t
item Webshots

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\!ewido
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ewido
hkey HKLM
command "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\Aim95\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\USRpdA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item 3cpipe-USRpdA
hkey HKLM
command C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\wwtmlze.dll
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wwtmlze
hkey HKLM
command C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\wwtmlze.dll,uuboskb
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[All Users Startup Folder Disabled Items]

[Current User Startup Folder Disabled Items]

>>> User Agent Post Platform <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

>>> AppInit Dll's <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs]

>>> Image File Execution Options <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
\Your Image File Name Here without a path - Debugger = ntsd -d

>>> Shell Service Object Delay Load <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
\\PostBootReminder - {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\CDBurn - {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll (Microsoft Corporation)
\\WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll (Microsoft Corporation)
\\SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll (Microsoft Corporation)

>>> Shell Execute Hooks <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} - URL Exec Hook = shell32.dll (Microsoft Corporation)
\\{57B86673-276A-48B2-BAE7-C6DBB3020EB8} - CShellExecuteHookImpl Object = C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll (Anti-Malware Development a.s.)

>>> Shared Task Scheduler <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

>>> Winlogon <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
\\UserInit = C:\WINDOWS\system32\userinit.exe,
\\Shell = Explorer.exe
\\System =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
\crypt32chain - crypt32.dll = (Microsoft Corporation)
\cryptnet - cryptnet.dll = (Microsoft Corporation)
\cscdll - cscdll.dll = (Microsoft Corporation)
\ScCertProp - wlnotify.dll = (Microsoft Corporation)
\Schedule - wlnotify.dll = (Microsoft Corporation)
\sclgntfy - sclgntfy.dll = (Microsoft Corporation)
\SensLogn - WlNotify.dll = (Microsoft Corporation)
\termsrv - wlnotify.dll = (Microsoft Corporation)
\WgaLogon - = ()
\wlballoon - wlnotify.dll = (Microsoft Corporation)

>>> DNS Name Servers <<<
{6FD6D041-21F9-475D-995C-8097F1DBE662} - (Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4))

>>> All Winsock2 Catalogs <<<
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries]
\000000000001\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
\000000000002\\LibraryPath - %SystemRoot%\System32\winrnr.dll (Microsoft Corporation)
\000000000003\\LibraryPath - %SystemRoot%\System32\mswsock.dll (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries]
\000000000001\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000002\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000003\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000004\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000005\\PackedCatalogItem - %SystemRoot%\system32\rsvpsp.dll (Microsoft Corporation)
\000000000006\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000007\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000008\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000009\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000010\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000011\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000012\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000013\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000014\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)
\000000000015\\PackedCatalogItem - %SystemRoot%\system32\mswsock.dll (Microsoft Corporation)

>>> Protocol Handlers (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler]
\ipp - ()
\msdaipp - ()
\vnd.ms.radio - C:\WINDOWS\System32\msdxm.ocx ()

>>> Protocol Filters (Non-Microsoft Only) <<<
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter]

>>> Selected AddOn's <<<


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

balaskonis,

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\System32\wwtmlze.dll
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• If it wants to install an ActiveX component allow it
• Select either Home User or Company
• Click the big Scan Now button
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Thanks,

sari

sari,

i did get that pending message after i did kill box.......and i had to reboot manually

here is the report from panda:

thanks again,
paul


Incident Status Location

Dialer:dialer.no Not disinfected c:\windows\downloaded program files\rdgUS2404.exe
Adware:adware/ncase Not disinfected c:\windows\didduid.ini
Adware:adware/blazefind Not disinfected c:\windows\Key2.txt
Adware:adware/xupiter Not disinfected C:\Documents and Settings\ballasp\Favorites\Cool Stuff
Adware:adware/memorywatcher Not disinfected Windows Registry
Adware:adware/statblaster Not disinfected Windows Registry
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/weirdontheweb Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:adware/transponder Not disinfected Windows Registry
Adware:adware/navhelper Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\!KillBox\Process.exe
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\Netscape\Communicator\Program\Plugins\NPMyWay.dll
Virus:Trj/KeyPanic Disinfected C:\Program Files\Netscape\Users\ballasp\Mail\Sent[Super Funny.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\unzipped\SmitfraudFix\SmitfraudFix\Process.exe
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ddcaa.dll.bad
Potentially unwanted tool:Application/MyWay Not disinfected C:\HijackThis\hijackthis\backups\backup-20040804-155423-411.dll
Potentially unwanted tool:Application/Zango Not disinfected C:\HijackThis\hijackthis\backups\backup-20050622-213605-551.inf
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@atwola[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@atdmt[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@maxserving[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@fastclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@doubleclick[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@realmedia[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@casalemedia[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@mediaplex[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@go[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@adrevolver[4].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@adrevolver[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@trafficmp[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@ad.yieldmanager[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@hitbox[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@ehg-dig.hitbox[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@zedo[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@dist.belnk[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@burstnet[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@tribalfusion[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@advertising[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ballasp\Cookies\ballasp@questionmarket[2].txt
Virus:Trj/KeyPanic Disinfected C:\Documents and Settings\ballasp\Application Data\Mozilla\Profiles\ballasp\f59y98e6.slt\Mail\mail\Sent[Super Funny.exe]

balaskonis,

You'll want to save these instructions to notepad or print them for reference in safe mode.

Reboot into safe mode. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete these files using Windows Explorer(if present):

c:\windows\downloaded program files\rdgUS2404.exe
c:\windows\didduid.ini
c:\windows\Key2.txt
C:\Documents and Settings\ballasp\Favorites\Cool Stuff

After that, Reboot.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please post a new hijackthis log and let me know how things are running.

Thanks,

sari

deleted the key2.txt, the other files were not present

the cpu is working great, no stalling, no pop ups, i'm quite happy......anything else you recommend, anything i've missed?

thanks again so much,
paul

here is the hjt log


Logfile of HijackThis v1.99.1
Scan saved at 5:58:28 PM, on 10/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
C:\unzipped\hijackthis[1]\hjt.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim95\aim.exe
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://coop.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

balaskonis,

That's good news.

Here are some tips to reduce the potential for spyware infection in the future. I strongly recommend installing the following applications:

Detect and Remove Programs:

• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

• AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
• Firewall<= A firewall is definitely a must have. Two good free versions are Sygate and ZoneLabs.
• More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.

And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.


Thanks for visiting Geeks to Go!

sari

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.