Hi,

My name is Yaman and I am facing trouble with my machine for last 4-5 days. I think its an infection, and as a result I am very scared of using my passwords in internet.

Symptoms:
--------------
1. Lot of lag in logging-off / shutdown - sometimes it asks for iexplore.exe program to be terminated (when there's none open from my side)
2. Multiple instances of iexplore.exe open in taskmanager. Even as I close internet explorer and open it again, a new instance would appear
3. I log in to my system as Administrator, but some of the iexplore.exe processes under task manager show no user (some show Administrator as user).
4. Lot of the iexplore.exe processes cant be killed (irrespective of what username is being shown in task manager for that process)


What I have done so far:
-------------------------------
1. I heard from one of this forum threads that firefox would be better. Installed that, but its also giving same problem. After starting, when I close firefox, the process remains and cant be killed. Opening second firefox opens a new process.
2. Tried changing IEXPLORE.EXE file in program files to IEXPLORER.EXE. Nothing happened. No restart, a new file with the name iexplore.exe was made, and same problem continued

3. Ran ATF cleaner
4. Checked with Panda Software online scan (results down below) - detected spyware cookies
5. Ran McAfee virus scan - nothing detected
6. Ran Trojan Remover 6.5.5 from Simply Super Software - nothing detected
7. Ran HiJackThis - Log given below

Please help me out this with. Have read all the forums, but cant fix this problem.

Regards,
Yaman


HiJackThis Log
----------------
Logfile of HijackThis v1.99.1
Scan saved at 13:17:32, on 01/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Documents and Settings\Administrator\Application Data\Simply Super Software\Trojan Remover\xrk16.exe
C:\Documents and Settings\Administrator\Application Data\Simply Super Software\Trojan Remover\xrk16.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Utilities\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SolidConverter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtPDF.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SolidConverter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.com/wfplayer/tdserver.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C8D77494-007F-4BD0-9B44-0C605B2C1A04} (RdHinIocCtrl Class) - http://immail.rediff.com/MLing/ActiveX/rdhinioc.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...a8a8b93e75306fe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Panda Online Scan Log
---------------------------

Incident Status Location

Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.stats1.reliablestats.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.server.iad.liveperson.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.statse.webtrendslive.com/]
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.pacificpoker.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.overture.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.phg.hitbox.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.searchportal.information.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.adviva.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.bfast.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.as1.falkag.de/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.server.iad.liveperson.net/hc/39926684]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.2o7.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1vx2napk.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@go[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@mediaplex[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[1].txt
Adware:adware/cws Not disinfected C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url
Spyware:Cookie/Xiti Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.xiti.com/]
Spyware:Cookie/Zedo Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.zedo.com/]
Spyware:Cookie/Reliablestats Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.stats1.reliablestats.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.realmedia.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.server.iad.liveperson.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.statcounter.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.mediaplex.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.maxserving.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.statse.webtrendslive.com/]
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.pacificpoker.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.serving-sys.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.tribalfusion.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.tradedoubler.com/]
Spyware:Cookie/Overture Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.overture.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.phg.hitbox.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.searchportal.information.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.qksrv.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.questionmarket.com/]
Spyware:Cookie/WUpd Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.revenue.net/]
Spyware:Cookie/Overture Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.perf.overture.com/]
Spyware:Cookie/Adtech Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.adtech.de/]
Spyware:Cookie/Adviva Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.adviva.net/]
Spyware:Cookie/Advertising Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.advertising.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.i.screensavers.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.ads.pointroll.com/]
Spyware:Cookie/Bfast Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.bfast.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.doubleclick.net/]
Spyware:Cookie/FastClick Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.fastclick.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.apmebf.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.bravenet.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.errorsafe.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.ads.pointroll.com/]
Spyware:Cookie/Falkag Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.as1.falkag.de/]
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.ads.pointroll.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.atdmt.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.hitbox.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.bluestreak.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.apmebf.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.server.iad.liveperson.net/hc/39926684]
Spyware:Cookie/2o7 Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.2o7.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\support.com\backup\co\cookies.txt\51099_521a0fadb_[cookies.txt][.247realmedia.com/]
Adware:adware/winprotect Not disinfected C:\WINDOWS\balloon.wav

This post has been edited by A-D-D-L-E: Jan 1 2007, 03:51 PM

Hello,

I notice from your log that you are running more than one different Anti-Virus programs with Auto-protect enabled. Zonealarm with Antivirus and McAfee with Firewall (Hackerwatch)
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

I would strongly advise you to only have one Anti-Virus with the Auto-Protect feature running at any one time!
If you decide to only keep one Anti-Virus installed,
you should uninstall the other(s) through the Add or Remove Programs option in Control Panel.


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: localhost 127.0.0.1
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...a8a8b93e75306fe

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Clean your Cache and Cookies in IE:

• Close all instances of Outlook Express and Internet Explorer
• Go to Control Panel > Internet Options > General tab
• Under Browsing History, click "Delete".
• Click "Delete Files", "Delete cookies" and "Delete history"
• Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

• Go to Tools > Options.
• Click Privacy in the menu..
• Click the Clear now button below.. A new window will popup what to clear.
• Select all and click the Clear button again.
• Click OK to close the Options window

* Clean other Temporary files + Recycle bin

• Go to start > run and type: cleanmgr and click ok.
• Let it scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
• Press OK to remove them.

Please download FixwareOut from one of the following sites:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

Hi,

Thanks for the reply and information on having two antivirus s/w installed.

Following up on your instructions, I have:
1. Uninstalled zone-alarm from my machine now...
2. With HiJackThis, fix checked the following
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: localhost 127.0.0.1
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zango/ie/b...a8a8b93e75306fe
3. Cleaned cache in IE & Firefox
4. Ran Cleanmgr

5. Now when downloading and installing Fixwareout.exe, it gave the following error:

"Regdiff.exe - Unable to locate component
This application has failed because MSVCR71.dll was not found"

I said ok and rebooted the machine. On restart, fixwareout program ran, but during the run also it gave the same error. However, it gave a report file which I am adding here, along with the new HiJackThis log (created after machine reboot)

However, the problem about multiple IE instances is still there. Though, I havent tried to shut-down to the machine to see if the shut-down time has reduced or not.

Please advice.

HiJackThis log
-----------------
Logfile of HijackThis v1.99.1
Scan saved at 19:54:57, on 02/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Utilities\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SolidConverter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtPDF.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: SolidConverter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [VoipBuster] "C:\Program Files\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.aajtak.com/wfplayer/tdserver.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C8D77494-007F-4BD0-9B44-0C605B2C1A04} (RdHinIocCtrl Class) - http://immail.rediff.com/MLing/ActiveX/rdhinioc.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


FixWareout.exe Report
----------------------------


Fixwareout
Last edited 12/06/2006
Post this report in the forums please
...
Prerun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
...
...
Reg Entries that were deleted
...

Random Runs removed from HKLM
...
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
...
Postrun check
[HKEY_LOCAL_MACHINE\\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""
...

Hello,
That's because one of your scanners most probably deleted the regdiff.exe which is present in the fixwareout folder.

That's why you have to reinstall Fixwareout again and make sure the scanners are not interfering.

I actually don't see multiple instances of iexplore.exe running though.
As I read your posts here, it looks like your iexplore.exe is rather crashing when you try to close it.. and when you reopen it, a new instance of iexplore.exe is running.

The infection you are dealing with (and I guess the infection is already gone as well as I can see in the log), isn't causing this. Actually, I don't think that malware is causing this at all, but blame McAfee for that. McAfee is known that it may cause issues with Firefox and IE.
As a test.. reboot your system into safe mode (with networking support) and look if you're having the same issue in safe mode.

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.