Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
     
 
 Closed TopicStart new topic
actux trojan, how do i remove it? [RESOLVED], actux.a
dbell1414
post May 6 2006, 07:18 AM
Post #1


New Member
*
Posts: 5
OS: windows xp
C:\Documents and Settings\D-Bell's\Local Settings\Temporary Internet Files\Content.IE5\23ALI90F\


C:\Documents and Settings\D-Bell's\Local Settings\Temporary Internet Files\Content.IE5\23ALI90F\



Dear (someone who will destroy ACTUX),

The above are the 2 files that keep coming up as infected everytime i shut down and restart my computer with my sbc online security system... it says they are a win32/actux.a infection. I was reading other blogs so i decided to run that hijackthis program and this is what i got (please see below)... i tried to delete the above files or rename them but it won't let me... i dont know what to do, but i can follow instructions good... Can someone please tell me what to delete or how to get this thing off my computer... i ran numerous different scans and nothing finds/deletes this pesky thing... PLEASE help... i will be forever grateful...

yours truely,
angry at actux.... (danielle) dbellie1414@yahoo.com



Logfile of HijackThis v1.99.1
Scan saved at 7:54:34 AM, on 5/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\D-Bell's\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.newtonknows.com/search.php?p=10...z=60477&u=55875
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.newtonknows.com/search.php?p=10...z=60477&u=55875
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {20C8CB67-3714-4B48-9E29-D2696155A257} - C:\Program Files\Internet Explorer\hore.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [VSL04.exe] C:\WINDOWS\System32\VSL04.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141796973350
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37520.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...dbf4c44a0363a5c
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
Go to the top of the page
 
+Quote Post
cfa-ddg2
post May 6 2006, 01:03 PM
Post #2


Visiting Staff
Group Icon
Posts: 963
From: Missouri
OS: Vista Ultimate
hello dbell1414...welcome to the G2G forums.

I am reviewing your HJT log now, and will work with G2G staff to help with your problem. I will post back as soon as possible.
Go to the top of the page
 
+Quote Post
cfa-ddg2
post May 6 2006, 03:49 PM
Post #3


Visiting Staff
Group Icon
Posts: 963
From: Missouri
OS: Vista Ultimate
Hello dbell1414....

1. Make a new folder to put your HijackThis.exe into.

Anywhere on your hard drive is fine other than your Desktop or the Temp folder. Suitable examples are:
  • C:\HijackThis\
  • C:\Programs\hijackthis\
  • C:\Windows\My Documents\HJT\
but feel free to use any name.

Extract and save the HijackThis download to the new folder you made. Then navigate to it and run HijackThis from there. We need to do this is to ensure it makes the necessary backups for recovery if fixes are made).

2. There is a file I'd like to get analyzed:

C:\WINDOWS\System32\VSL04.exe

Just to be safe, go to this site and have it scan them:
Jotti virus scan

Use the Browse button at Jotti, navigate to the file's location on your hard drive and submit it to them for analysis.

Let me know the results in your next reply.

3. Please download Ewido Anti-Malware from here
  1. Install ewido security suite
  2. When installing the program, under "Additional Options" UNCHECK...
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should now be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files:
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
  8. Close Ewido Anti-Malware
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates

Do NOT use it yet, we will use it later.

4. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Do NOT run it yet, we will use it later.
5. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.newtonknows.com/search.php?p=10...z=60477&u=55875
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.newtonknows.com/search.php?p=10...z=60477&u=55875
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {20C8CB67-3714-4B48-9E29-D2696155A257} - C:\Program Files\Internet Explorer\hore.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/installers/si/1/sinstaller.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...dbf4c44a0363a5c

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present). Click start>>control panel>>add/remove programs:

MySearch
WhenUSave
NewtonKnows

Please delete these folders using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed folders, then right-click to select them and click delete


C:\Program Files\MySearch
C:\Program Files\Save

Please delete these files using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:


C:\Program Files\Internet Explorer\hore.dll
C:\WINDOWS\web\related.htm

6. Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

7. Still in Safe Mode start Ewido Anti-Malware
  • Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning)
  • Click on Complete System Scan, the scan will now begin.
  • While the scan is in progress you will be prompted to clean files, click OK.
  • When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.
  • Once the scan has completed, there will be a button located at the bottom of the screen named Save Report.
  • Click Save Report.
  • Now save the report .txt file to your desktop.
  • Close Ewido Anti-Malware
8. After that, Reboot into normal windows.

9. Post back in this thread with:
  • a new HJT log
  • the Ewido log
  • the Jotti file analysis results
Go to the top of the page
 
+Quote Post
dbell1414
post May 6 2006, 05:22 PM
Post #4


New Member
*
Posts: 5
OS: windows xp
File to upload & scan:
Service
Service load: 0% 100%

File: VSL04.exe
Status: INFECTED/MALWARE
MD5 1f3507d911bc22f549a1ab1454a41d88
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.Dh, Trojan.DownLoader.9440
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.ctp, Trojan-Downloader.Win32.Small.ajc
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing



I DID STEP 2 (JOTTI SCAN) AND THE SCAN FOUND 2 MORE TROJANS!!! I WILL CONTINUE WITH THE STEPS AND THAN POST THE NEW HJT LOG AND NEW EWIDO LOG. THANKS FOR ALL THE HELP I TRUELY LUV U... NO I MEAN IT... UR ARE THE GREATEST... 2 DAYS AGO (IN ATTEMPT TO TRY TO FIX THE ACTUX TROJAN) I DOWNLOADED AND RAN EWIDO, I HOPE THAT DOESNT MATTER???!!!

This post has been edited by dbell1414: May 6 2006, 06:01 PM
Go to the top of the page
 
+Quote Post
cfa-ddg2
post May 6 2006, 06:55 PM
Post #5


Visiting Staff
Group Icon
Posts: 963
From: Missouri
OS: Vista Ultimate
QUOTE(dbell1414 @ May 6 2006, 06:22 PM) [snapback]663606[/snapback]


I DID STEP 2 (JOTTI SCAN) AND THE SCAN FOUND 2 MORE TROJANS!!! I WILL CONTINUE WITH THE STEPS AND THAN POST THE NEW HJT LOG AND NEW EWIDO LOG. THANKS FOR ALL THE HELP I TRUELY LUV U... NO I MEAN IT... UR ARE THE GREATEST... 2 DAYS AGO (IN ATTEMPT TO TRY TO FIX THE ACTUX TROJAN) I DOWNLOADED AND RAN EWIDO, I HOPE THAT DOESNT MATTER???!!!


Good job...do the rest and we'll go from there.

It doesn't matter that you ran Ewido previously, run it again configured as outlined above.

And while the file you scanned is infected, the two trojan names listed are just different malware scan's names for the infected file.

Looking forward to your next post...
Go to the top of the page
 
+Quote Post
dbell1414
post May 6 2006, 09:55 PM
Post #6


New Member
*
Posts: 5
OS: windows xp
unfortunetly, when i logged on my sbc online protection popped up the window again (as before) that i still am infected with the actux trojen in the:
------------------------------
filename: wallpap[1].exe
location: C:\Documents and Settings\D-Bell's\Local Settings\Temporary Internet Files\Content.IE5\8X6BKDE7\

status: deleted
type: file
infection: win32/actux.a
engine version: 12.4.1
signiture:2196
scanner type: real-time

--------------------------------

filename:wallpap[1].exe
location: C:\Documents and Settings\D-Bell's\Local Settings\Temporary Internet Files\Content.IE5\8X6BKDE7\

status: infected
type: file
Infection: win32/actux.a
engine version: 12.4.1
signiture:2196
scanner type: real-time

-------------------------------


some of those things u told me to delete weren't on the hijackthis list, such as:

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.newtonknows.com/search.php?p=10...z=60477&u=55875
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.newtonknows.com/search.php?p=10...z=60477&u=55875
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKCU\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
--------------------------------------------------------------------------------------------------------------

after i couldnt find those on the hijackthis list i also couldnt find and delete:

mysearch
whenusave
newtonknows

in step 5 within the start>>control panal>>add/remove program list

i also couldnt delete/find:

c:/program files\mysearch
c:\program files\save


--------------------------------------------------------


HERE IS THE HIJACKThis FILE:



Logfile of HijackThis v1.99.1
Scan saved at 10:36:18 PM, on 5/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\HijackThis.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [VSL04.exe] C:\WINDOWS\System32\VSL04.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141796973350
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37520.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE





-----------------------------------------------------------------------------------------




HERE IS EWIDO:








ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:43:46 PM, 5/6/2006
+ Report-Checksum: 8D8496B5

+ Scan result:

C:\Documents and Settings\D-Bell's\Cookies\d-bell's@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\D-Bell's\Cookies\d-bell's@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\D-Bell's\Local Settings\Temp\Temporary Internet Files\Content.IE5\O92VK5M3\gtdownls[1].cab/gtdownls_95.ocx -> Adware.Gdown : Cleaned with backup
C:\Program Files\backups\backup-20060506-191843-338.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP176\A0045173.dll -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP201\A0046632.dll -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0051778.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052750.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052751.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052758.dll -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052760.dll -> Adware.Exact : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052761.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052764.dll -> Adware.Comet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052765.dll -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052766.dll -> Adware.Agent : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052767.exe -> Adware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052778.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052779.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052789.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052790.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052808.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052810.exe -> Downloader.Small.ajc : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052819.dll -> Downloader.Small.ctp : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0052820.exe -> Downloader.Small.ajc : Cleaned with backup
C:\WINDOWS\SYSTEM32\gtdownls_95.ocx -> Adware.Gdown : Cleaned with backup


::Report End




----------------------------------------------------------------------------------------------------




i just want to cry... now what??? should i try it again??? did i do something wrong.... thanks again for all your help i really appreciate it...


danielle...

This post has been edited by dbell1414: May 6 2006, 10:09 PM
Go to the top of the page
 
+Quote Post
cfa-ddg2
post May 7 2006, 12:09 PM
Post #7


Visiting Staff
Group Icon
Posts: 963
From: Missouri
OS: Vista Ultimate
hello dbell1414...we're making progress. This may be a multistep process...so let's keep going:

1. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKCU\..\Run: [VSL04.exe] C:\WINDOWS\System32\VSL04.exe

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

2. Please delete these files using Windows Explorer(if present):
  • Click Start>>All Programs>>Accessories>>Windows Explorer
  • Navigate to the listed files, then right-click to select them and click delete:


C:\WINDOWS\System32\VSL04.exe


Reboot your computer back to normal mode.

3. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Problems running Panda ActiveScan are addressed HERE


Post the contents of:
    1. the Panda ActiveScan Report
    2. a new HJT log
as a reply to this topic, and let me know if the problems still persists.
Go to the top of the page
 
+Quote Post
dbell1414
post May 8 2006, 10:15 AM
Post #8


New Member
*
Posts: 5
OS: windows xp
well, when i rebot-ed my computer i did not recieve a message that i am still infected with actux... so that is a great sign, right!!!??!?! BUT when i did the panda scan it said i had like 24 spyware infections and 2 other problems... can u help me correct those??? i would really appreciate!!! (should i rescan my computer with panda and let it automatically correct those problems???) u have been great!!! u should let me write a letter to ur boss and tell him what a great employee he has (do u have a boss on this thing???)... if there is anyway i can repay u please let me know...

---------------------------
panda scan:
---------------------------


Incident Status Location

Adware:adware/gator Not disinfected c:\GatorPatch.log
Potentially unwanted tool:application/zango Not disinfected c:\program files\Zango Programs
Spyware:spyware/premeter Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/exact.searchbar Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@adrevolver[3].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@apmebf[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@atwola[1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@banners.searchingbooth[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@belnk[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@casalemedia[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@cgi-bin[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@dist.belnk[2].txt
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@mysearch[3].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@realmedia[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\D-Bell's\Cookies\d-bell's@tribalfusion[2].txt


---------------------------------
HJT report:
---------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 11:01:06 AM, on 5/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {D42018DD-2A8E-4FF5-A365-876CFB3FD0FF} - C:\Program Files\Internet Explorer\hore.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\