[MandyLynn]

Hello! It seems I have a nasty infestation on my computer. I have followed the instructions on the "You Must Read This Before Posting A Hijackthis Log" and still have problems however it has at least gotten better. At the moment, I keep getting popups that look like legitimate windows that open when you install programs but they are certainly not legit. My homepage has been changed to http://www.sysprotectionpage.com which has links to products like Malware Wipe and Pest Trap... neither of which I have downloaded. My old homepage was for gmail and even if I type the address in, I cannot access it to check my email.

When I was going through the steps to hopefully remove malware, Trojan.Zlob and Trojan.Small were discovered and taken care of. The name "Zlob" seems to come up a lot.

Many thanks in advance!!

Here is my Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:57:55 PM, on 7/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dbf98937.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dbf98937.exe] C:\WINDOWS\system32\dbf98937.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [dbf98937.exe] C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Local Settings\Application Data\dbf98937.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.s...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.s...trl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1152130168515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152132918968
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Advertisements]

Hi MandyLynn and Welcome to GeekstoGo!


First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run ewido and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.


Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).


Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

• Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close out Ewido Anti-Spyware.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.



Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.



Reboot back into Windows and click the Panda ActiveScan shortcut.

• Once you are on the Panda site click the Scan your PC button.
• A new window will open...click the Check Now button.
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When the download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

[Wizard]

Hi MandyLynn and Welcome to GeekstoGo!


First download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

• Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run ewido and update the definition files.
• On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
• Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
• Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.


Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).


Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

• Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
• Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
• ewido will now begin the scanning process, be patient this may take a little time.
  Once the scan is complete do the following:
• If you have any infections you will prompted, then select "Apply all actions"
• Next select the "Reports" icon at the top.
• Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
• Close out Ewido Anti-Spyware.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.



Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.



Reboot back into Windows and click the Panda ActiveScan shortcut.

• Once you are on the Panda site click the Scan your PC button.
• A new window will open...click the Check Now button.
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When the download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.

[MandyLynn]

I had a problem with the Panda scan. The window that opened when it scanned was half the size it needed to be so I couldn't fix the problems or save a report... couldn't even see those buttons. I tried to make the window bigger but couldn't. Here are the other logs as requested.

Oh, my homepage has no longer been taken over. Something that you asked me to run must had taken care of that. It's now set at msn.com and it allows me to check my gmail now. Thanks!!

Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 12:33:48 AM, on 7/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\dbf98937.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dbf98937.exe] C:\WINDOWS\system32\dbf98937.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [dbf98937.exe] C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Local Settings\Application Data\dbf98937.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.s...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.s...trl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1152130168515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152132918968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

smitfiles.txt log

smitRem © log file
version 3.0

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Thu 07/06/2006
The current time is: 21:18:12.03

Running from
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{0ffdaffc-d80d-47bf-b9b0-895ea240f4de}"="adelges"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

regperf.exe
simpole.tlb
stdole3.tlb
dcomcfg.exe
amcompat.tlb
nscompat.tlb
hp***.tmp


~~~ Icons in System32 ~~~

ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 912 'explorer.exe'
Killing PID 912 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!

Ewido-anti-spyware
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:40:37 AM 7/6/2006

+ Scan result:



C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\[email protected][2].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.25:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.26:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.60:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.61:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
:mozilla.47:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.48:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\mandy@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy\Cookies\mandy@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.55:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.56:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.59:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.39:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\mandy@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.44:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.46:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.49:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Mandy\Application Data\Mozilla\Firefox\Profiles\b8ohnat7.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\JRR\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ld65C4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldE0E0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

Edited by MandyLynn, 06 July 2006 - 10:46 PM.

[Wizard]

Download ComboFix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.

Post the contents of combofix.txt into the next reply.

[MandyLynn]

Start Time= Fri 07/07/2006 12:14:59.84
Running from: C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Desktop

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-06 17:57:04 ( .D... ) "C:\Program Files\HJT"
2006-07-06 03:41:20 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-06 01:01:54 ( .D... ) "C:\Program Files\Windows Defender"
2006-07-05 13:18:52 47564 ( A.SHR ) "C:\NTDETECT.COM"
2006-07-04 22:47:10 ( .D... ) "C:\Program Files\Common Files\Companion Wizard"
2006-07-04 21:39:08 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Lavasoft"
2006-07-04 14:23:48 20992 ( A.... ) "C:\WINDOWS\system32\dbf98937.exe"
2006-07-04 14:22:44 ( .D... ) "C:\Program Files\SpyQuake2.com"
2006-07-04 11:28:38 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Leadertech"
2006-07-04 11:28:12 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Sonic"
2006-07-04 01:27:24 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\LimeWire"
2006-07-04 01:09:58 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Motive"
2006-07-03 19:57:00 37518744 ( A.... ) "C:\Program Files\iTunesSetup.exe"
2006-07-03 15:05:32 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Adobe"
2006-07-03 15:01:10 57344 ( ..... ) "C:\WINDOWS\system32\pxhpinst.exe"
2006-07-02 13:54:00 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Image Zone Express"
2006-06-30 22:13:26 ( .D.HR ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\yahoo!"
2006-06-30 19:21:24 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-30 19:19:58 407080 ( A.... ) "C:\Program Files\Yahoo Messenger Install Program.exe"
2006-06-30 10:38:26 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\HP"
2006-06-30 10:23:26 ( .D.H. ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\GTek"
2006-06-30 00:31:40 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Ventrilo"
2006-06-30 00:14:36 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Macromedia"
2006-06-30 00:10:14 ( .DS.. ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Microsoft"
2006-06-30 00:10:14 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Symantec"
2006-06-30 00:10:14 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Sun"
2006-06-30 00:10:14 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\SampleView"
2006-06-30 00:10:14 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Real"
2006-06-30 00:10:14 ( .D... ) "C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Application Data\Identities"
2006-06-29 16:04:56 ( .D... ) "C:\Program Files\Norton Personal Firewall"
2006-06-22 02:47:18 181248 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 16:19:42 571184 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-06-19 16:19:26 304944 ( ..... ) "C:\WINDOWS\system32\WgaTray.exe"
2006-06-16 13:34:44 48936 ( A.... ) "C:\WINDOWS\system32\sirenacm.dll"
2006-06-11 14:24:08 ( .D... ) "C:\Program Files\AOD"
2006-06-08 18:19:52 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-08 12:08:36 534208 ( A.... ) "C:\WINDOWS\system32\SymNeti.dll"
2006-06-08 12:08:36 161472 ( A.... ) "C:\WINDOWS\system32\SymRedir.dll"
2006-05-29 07:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-26 22:19:50 163840 ( A.... ) "C:\WINDOWS\system32\JGDW400.DLL"
2006-05-19 07:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-17 21:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-16 14:34:38 87808 ( A.... ) "C:\WINDOWS\system32\S32EVNT1.DLL"
2006-05-11 00:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-09 21:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-09 21:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-09 21:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-09 21:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 21:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-09 21:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-09 21:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-09 21:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-09 21:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-09 21:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 21:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-09 21:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 21:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 21:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-09 21:23:00 55808 ( ..... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 21:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-03-03 17:40:24 721507 ( A.... ) "C:\Program Files\RNPatch72.exe"
2005-12-09 17:18:28 34412848 ( A.... ) "C:\Program Files\Quicktime 7 upgrade.exe"
2005-11-18 07:50:20 27917104 ( A.... ) "C:\Program Files\downloadable_install_wizard.exe"
2005-11-17 15:26:06 130560 ( A.... ) "C:\Program Files\GWSETUP.EXE"
2005-07-30 09:40:54 457 ( A.... ) "C:\Program Files\INSTALL.LOG"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-06 22:52 73,728 C:\WINDOWS\system32\asuninst.exe
2006-07-06 22:52 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-07-06 22:46 536,399,872 C:\hiberfil.sys
2006-07-05 23:03 127,208 C:\WINDOWS\system32\mucltui.dll
2006-07-05 13:08 9,216 C:\WINDOWS\system32\proxycfg.exe
2006-07-05 13:08 88,064 C:\WINDOWS\system32\p2pnetsh.dll
2006-07-05 13:08 86,016 C:\WINDOWS\system32\p2pgasvc.dll
2006-07-05 13:08 81,408 C:\WINDOWS\system32\wscsvc.dll
2006-07-05 13:08 8,192 C:\WINDOWS\system32\spdwnwxp.exe
2006-07-05 13:08 8,192 C:\WINDOWS\system32\smbinst.exe
2006-07-05 13:08 75,776 C:\WINDOWS\system32\strmfilt.dll
2006-07-05 13:08 73,832 C:\WINDOWS\system32\slcoinst.dll
2006-07-05 13:08 73,796 C:\WINDOWS\system32\slserv.exe
2006-07-05 13:08 526,848 C:\WINDOWS\system32\p2psvc.dll
2006-07-05 13:08 50,176 C:\WINDOWS\system32\xmlprovi.dll
2006-07-05 13:08 49,152 C:\WINDOWS\system32\powercfg.exe
2006-07-05 13:08 48,640 C:\WINDOWS\system32\pnrpnsp.dll
2006-07-05 13:08 44,032 C:\WINDOWS\system32\twext.dll
2006-07-05 13:08 4,274,816 C:\WINDOWS\system32\nv4_disp.dll
2006-07-05 13:08 397,056 C:\WINDOWS\system32\s3gnb.dll
2006-07-05 13:08 32,866 C:\WINDOWS\system32\slrundll.exe
2006-07-05 13:08 32,866 C:\WINDOWS\slrundll.exe
2006-07-05 13:08 312,320 C:\WINDOWS\system32\p2pgraph.dll
2006-07-05 13:08 29,184 C:\WINDOWS\system32\sdhcinst.dll
2006-07-05 13:08 286,792 C:\WINDOWS\system32\slextspk.dll
2006-07-05 13:08 21,504 C:\WINDOWS\system32\spupdwxp.exe
2006-07-05 13:08 188,508 C:\WINDOWS\system32\slgen.dll
2006-07-05 13:08 17,408 C:\WINDOWS\system32\winshfhc.dll
2006-07-05 13:08 15,872 C:\WINDOWS\system32\w3ssl.dll
2006-07-05 13:08 13,824 C:\WINDOWS\system32\wscntfy.exe
2006-07-05 13:08 129,536 C:\WINDOWS\system32\xmlprov.dll
2006-07-05 13:08 116,224 C:\WINDOWS\system32\p2p.dll
2006-07-05 13:08 11,776 C:\WINDOWS\system32\spnpinst.exe
2006-07-05 13:08 108,032 C:\WINDOWS\system32\wshbth.dll
2006-07-05 13:07 86,016 C:\WINDOWS\system32\mdmxsdk.dll
2006-07-05 13:07 81,920 C:\WINDOWS\system32\ieencode.dll
2006-07-05 13:07 71,680 C:\WINDOWS\system32\blastcln.exe
2006-07-05 13:07 7,680 C:\WINDOWS\system32\kbdsmsno.dll
2006-07-05 13:07 7,680 C:\WINDOWS\system32\kbdsmsfi.dll
2006-07-05 13:07 7,168 C:\WINDOWS\system32\kbdukx.dll
2006-07-05 13:07 7,168 C:\WINDOWS\system32\kbdno1.dll
2006-07-05 13:07 7,168 C:\WINDOWS\system32\kbdfi1.dll
2006-07-05 13:07 60,416 C:\WINDOWS\system32\fwcfg.dll
2006-07-05 13:07 6,656 C:\WINDOWS\system32\kbdinmal.dll
2006-07-05 13:07 6,656 C:\WINDOWS\system32\kbdinben.dll
2006-07-05 13:07 6,144 C:\WINDOWS\system32\kbdmlt48.dll
2006-07-05 13:07 6,144 C:\WINDOWS\system32\kbdmlt47.dll
2006-07-05 13:07 6,144 C:\WINDOWS\system32\kbdinbe1.dll
2006-07-05 13:07 59,392 C:\WINDOWS\system32\logman.exe
2006-07-05 13:07 55,808 C:\WINDOWS\system32\extmgr.dll
2006-07-05 13:07 516,768 C:\WINDOWS\system32\ativvaxx.dll
2006-07-05 13:07 50,688 C:\WINDOWS\system32\btpanui.dll
2006-07-05 13:07 5,632 C:\WINDOWS\system32\kbdmaori.dll
2006-07-05 13:07 377,984 C:\WINDOWS\system32\ati2dvaa.dll
2006-07-05 13:07 32,768 C:\WINDOWS\system32\ativtmxx.dll
2006-07-05 13:07 32,285 C:\WINDOWS\system32\hsfcisp2.dll
2006-07-05 13:07 30,208 C:\WINDOWS\system32\bthserv.dll
2006-07-05 13:07 24,576 C:\WINDOWS\system32\httpapi.dll
2006-07-05 13:07 229,376 C:\WINDOWS\system32\ati2cqag.dll
2006-07-05 13:07 22,528 C:\WINDOWS\system32\fltmc.exe
2006-07-05 13:07 20,992 C:\WINDOWS\system32\faxpatch.exe
2006-07-05 13:07 20,992 C:\WINDOWS\system32\bthci.dll
2006-07-05 13:07 193,024 C:\WINDOWS\system32\fsquirt.exe
2006-07-05 13:07 16,896 C:\WINDOWS\system32\fltlib.dll
2006-07-05 13:07 14,336 C:\WINDOWS\system32\auditusr.exe
2006-07-05 13:07 13,824 C:\WINDOWS\system32\cmsetacl.dll
2006-07-05 13:07 118,784 C:\WINDOWS\system32\msdadiag.dll
2006-07-05 13:07 1,737,856 C:\WINDOWS\system32\mtxparhd.dll
2006-07-05 12:48 5,967,776 C:\WINDOWS\system32\MRT.exe
2006-07-05 12:22 1,082,368 C:\WINDOWS\system32\esent.dll
2006-07-05 12:13 22,752 C:\WINDOWS\system32\spupdsvc.exe
2006-07-05 12:11 8,192 C:\WINDOWS\system32\bitsprx2.dll
2006-07-05 12:11 7,168 C:\WINDOWS\system32\bitsprx3.dll
2006-07-05 12:11 438,784 C:\WINDOWS\system32\xpob2res.dll
2006-07-05 12:11 351,232 C:\WINDOWS\system32\winhttp.dll
2006-07-05 12:11 18,944 C:\WINDOWS\system32\qmgrprxy.dll
2006-07-05 12:10 18,200 C:\WINDOWS\system32\wups2.dll
2006-07-05 01:38 466,944 C:\WINDOWS\system32\capicom.dll
2006-07-04 22:45 8,704 C:\WINDOWS\system32\SpOrder.dll
2006-07-04 14:23 20,992 C:\WINDOWS\system32\dbf98937.exe
2006-07-04 01:25 245,408 C:\WINDOWS\system32\unicows.dll
2006-07-03 15:04 57,344 C:\WINDOWS\system32\pxhpinst.exe
2006-07-03 15:04 240,640 C:\WINDOWS\system32\mpg4dmod.dll
2006-06-30 11:00 49,250 C:\WINDOWS\system32\javaw.exe
2006-06-30 11:00 49,248 C:\WINDOWS\system32\java.exe
2006-06-30 11:00 127,078 C:\WINDOWS\system32\javaws.exe
2006-06-30 10:48 37,376 C:\WINDOWS\system32\hpz3l3xu.dll
2006-06-30 10:44 94,208 C:\WINDOWS\system32\HPZipt12.dll
2006-06-30 10:44 69,632 C:\WINDOWS\system32\HPZipm12.exe
2006-06-30 10:44 61,440 C:\WINDOWS\system32\HPZinw12.exe
2006-06-30 10:44 57,344 C:\WINDOWS\system32\HPZisn12.dll
2006-06-30 10:44 278,584 C:\WINDOWS\system32\HPZidr12.dll
2006-06-30 10:44 204,800 C:\WINDOWS\system32\HPZipr12.dll
2006-06-30 10:36 98,304 C:\WINDOWS\system32\hpzjsn01.dll
2006-06-30 10:36 77,824 C:\WINDOWS\system32\hpzids01.dll
2006-06-29 21:54 465,176 C:\WINDOWS\system32\wuapi.dll
2006-06-29 21:54 41,240 C:\WINDOWS\system32\wups.dll
2006-06-29 21:54 194,328 C:\WINDOWS\system32\wuaueng1.dll
2006-06-29 21:54 172,312 C:\WINDOWS\system32\wuauclt1.exe
2006-06-29 21:54 127,256 C:\WINDOWS\system32\wucltui.dll
2006-06-29 21:51 221,184 C:\WINDOWS\system32\wmpns.dll
2006-06-29 20:53 805,306,368 C:\pagefile.sys
2006-06-29 17:08 182,880 C:\WINDOWS\system32\iuenginenew.dll
2006-06-29 17:06 614,912 C:\WINDOWS\system32\h323msp.dll
2006-06-29 17:06 39,936 C:\WINDOWS\system32\mf3216.dll
2006-06-29 17:06 332,288 C:\WINDOWS\system32\netapi32.dll
2006-06-29 17:06 331,264 C:\WINDOWS\system32\ipnathlp.dll
2006-06-29 17:05 581,120 C:\WINDOWS\system32\rpcrt4.dll
2006-06-29 17:05 540,160 C:\WINDOWS\system32\comuid.dll
2006-06-29 17:05 204,800 C:\WINDOWS\system32\IVIresizeW7.dll
2006-06-29 17:05 200,704 C:\WINDOWS\system32\IVIresizeA6.dll
2006-06-29 17:05 20,480 C:\WINDOWS\system32\IVIresize.dll
2006-06-29 17:05 192,512 C:\WINDOWS\system32\IVIresizeP6.dll
2006-06-29 17:05 192,512 C:\WINDOWS\system32\IVIresizeM6.dll
2006-06-29 17:05 188,416 C:\WINDOWS\system32\IVIresizePX.dll
2006-06-29 17:05 161,280 C:\WINDOWS\system32\msdtcuiu.dll
2006-06-22 02:59 181,248 C:\WINDOWS\system32\rasmans.dll
2006-06-19 16:20 702,768 C:\WINDOWS\system32\WgaLogon.dll
2006-06-19 16:19 571,184 C:\WINDOWS\system32\LegitCheckControl.dll
2006-06-19 16:19 304,944 C:\WINDOWS\system32\WgaTray.exe
2006-06-16 13:34 48,936 C:\WINDOWS\system32\sirenacm.dll
2006-06-08 12:08 534,208 C:\WINDOWS\system32\SymNeti.dll
2006-06-08 12:08 161,472 C:\WINDOWS\system32\SymRedir.dll
2006-05-26 15:40 1,494,016 C:\WINDOWS\system32\shdocvw.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"UpdateManager"="\"c:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"dbf98937.exe"="C:\\WINDOWS\\system32\\dbf98937.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"AlcxMonitor"="ALCXMNTR.EXE"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"RecordNow!"=""
"dbf98937.exe"="C:\\Documents and Settings\\Mandy.YOUR-C8BH3JAGLT\\Local Settings\\Application Data\\dbf98937.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,36,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\vds
HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\WinDefend
HKEY_LOCAL_MACHINE\system\controlset001\control\safeboot\minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\vds
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\WinDefend
HKEY_LOCAL_MACHINE\system\controlset002\control\safeboot\minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Mandy.job
C:\WINDOWS\tasks\WebReg Photosmart 2570 series.job

Completion time: Fri 07/07/2006 12:15:25.40
ComboFix ver 06.07.07 - This logfile is located at C:\ComboFix.txt

[MandyLynn]

Hello. I'm posting again because I tried running the Panda Active Scan and it worked this time. So here is the log from that.


Incident Status Location

Adware:Adware/SystemDoctor Not disinfected c:\windows\system32\dbf98937.exe
Adware:adware/toprebates Not disinfected c:\windows\downloaded program files\WinadX.inf
Spyware:spyware/betterinet Not disinfected c:\windows\inf\satmat.inf
Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
Adware:adware/sbsoft Not disinfected c:\windows\rdt.ini
Adware:adware/twain-tech Not disinfected c:\windows\satmat.ini
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\JRR\Cookies\[email protected][1].txt
Adware:Adware/SystemDoctor Not disinfected C:\Documents and Settings\JRR\Local Settings\Application Data\dbf98937.exe

[Wizard]

Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [dbf98937.exe] C:\WINDOWS\system32\dbf98937.exe

O4 - HKCU\..\Run: [dbf98937.exe] C:\Documents and Settings\Mandy.YOUR-C8BH3JAGLT\Local Settings\Application Data\dbf98937.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  c:\windows\system32\dbf98937.exe
  C:\Documents and Settings\JRR\Local Settings\Application Data\dbf98937.exe
  c:\windows\downloaded program files\WinadX.inf
  c:\windows\inf\satmat.inf
  c:\windows\kwv2.dat
  c:\windows\rdt.ini
  c:\windows\satmat.ini
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Select Delete on Reboot and Unregister .dll before Deleting
• then Click on the All Files button.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Restart Normal and Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

• Follow the Instruction on the F-Secure page for proper installation.
• Accept the License Agreement.
• Once the ActiveX installs,Click Full System Scan
• Once the download completes,the scan will begin automatically.
• The scan will take some time to finish,so please be patient.
• When the scan completes, click the Automatic cleaning (recommended) button.
• Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

[MandyLynn]

Just wanted to say I haven't forgotten about my computer problem. I've been super busy lately and have not had time to work on it. Will post new logs by tomorrow.