Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Removing winfixer2005 and about blank [RESOLVED]

Started by jqs27 , Sep 04 2005 08:12 AM

This topic is locked

#1
jqs27

Posted 04 September 2005 - 08:12 AM

Member

Member
47 posts

Hi everyone/anyone

Could anyone help me in removing about blank and winfixer2005. I have been running my antivirus, adaware, spybot,ccleaner and shredder but still it does not seem to do the job and these 2 applications get automatically launched when I log on.

Any help would be much appreciated

Cheers

#2
Rawe

Posted 04 September 2005 - 08:42 AM

Visiting Staff

Member
4,746 posts

Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

#3
jqs27

Posted 04 September 2005 - 08:47 AM

Member

Topic Starter
Member
47 posts

Hi Rawe,

Thanks for your reply. I have followed the steps of the guide and here is my HJT file.

Logfile of HijackThis v1.99.1
Scan saved at 2:43:15 PM, on 9/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\appqk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\sdkgg32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\TDispVol.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Dad\Desktop\Protection\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.qbsfjsuxo...DszevKlAlu.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ltozamsrc...kvjR9Pg38Nk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vualw.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FA742568-1B11-D6C6-83AC-90866C94CAEA} - C:\WINDOWS\ntpc32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [sdkgg32.exe] C:\WINDOWS\system32\sdkgg32.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [chin axis manager flag] C:\Documents and Settings\All Users\Application Data\City proc chin axis\Barb Bind.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [owns camp] C:\DOCUME~1\Dad\APPLIC~1\BROWSE~1\Love4.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9B5E418-4C7F-447C-9423-43BD08EADC21}: NameServer = 205.188.146.145
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\appqk.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Can you help out

Cheers

#4
Rawe

Posted 04 September 2005 - 08:54 AM

Visiting Staff

Member
4,746 posts

Ok, let's get started :tazz:

Let's do some scanning & analyzing first..

Download CleanUp
Install the program, dont run it yet, we will later.

Download SpyBot S&D, Click Here

IF you have an older version of SpyBot installed, please do the following first:

1. Undo immunization
2. If SDHelper and TeaTimer are enabled, deactivate them first.
3. If Opera Browser is installed, de-select protection for Opera Immunity
4. Uninstall old version of Spybot S&D
5. Reboot

Then install the SpyBot S&D. (Note, do NOT install TeaTimer at this time!)

Next..

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version 1.0.6 and always go online and update it before you run it).

If it's NOT the version 1.0.6, can you then uninstall your current version/delete folder: C:\Program Files\Lavasoft & empty recycle bin. Finally install the latest version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

IF you are having problems with the updating, get the manual updates here; http://download.lava...public/defs.zip

Exit Ad-Aware for now, we'll run it later.

Please download Ewido Security Suite it is a free version of the program.

Install Ewido Security Suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch Ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update Ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT run a scan yet.

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp

Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
When CleanUp starts go to the Options button (right side of CleanUp screen)
Move the arrow down to "Custom CleanUp!"
Now place a checkmark next to the following (Make sure nothing else is checked!):
- Delete Cookies
  This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
- Empty Recycle Bins
- Delete Prefetch files
- Cleanup! All Users
Click OK
Then click on the CleanUp button. This will take a short while, let it do its thing.
When asked to reboot system select No
Close CleanUp

Launch Ad-aware..

2. Set up the Configurations as follows:

Click the Gear wheel at the top of the Ad-Aware window
Click General > Safety & Settings: Check (Green) all three.
Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click on scanner
Click on Complete System Scan and the scan will begin.
Clean anything it finds.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close Ewido.

Then reboot AGAIN, post me the Ewido log along with a fresh HiJackThis log.

#5
jqs27

Posted 04 September 2005 - 11:06 AM

Member

Topic Starter
Member
47 posts

Did all the steps of your previous post.

Still have wthe same issues: about blank popo up, win fixer plus a new one which says:
Retrieval of THotkey failed
Error code 0x00031402,0x00000002

Anyhow here is the Ewido log followed by the HJT log

EWIDO

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:53:27 PM, 9/4/2005
+ Report-Checksum: 6E18CD84

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01198741-DBE0-E6F4-9DBE-877B61FB1D1D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{44A4F449-ADED-A513-8AE7-5A3DDF205F49} -> Spyware.CoolWebSearch : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc102.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc106.txt -> Spyware.Cookie.Weborama : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc11.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc122.txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc130.txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc16.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc2.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc24.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc30.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc31.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc32.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc33.txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc43.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc45.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc65.txt -> Spyware.Cookie.Lop : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc8.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc89.txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\RECYCLER\S-1-5-21-3285162853-4141216190-3951289022-1005\Dc92.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\WINDOWS\addgx.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\addtf.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\addya.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\apifh32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\apirt.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\apppo32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\appqj32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\atid.ini:cmonzp -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\atlet.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlnm32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\atlsg.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\bootstat.dat:hmjug -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crjl.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\crxq32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\d3ck.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\d3cl32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\d3yr32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\dahvs.txt:eqwtbm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\desktop.ini:ehalky -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:dxnlof -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\getwa.dat:evsmfk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\getwa.dat:hhicyd -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:zqveso -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:vygqqp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\hfxkx.txt:azbitg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\hwmbu.dat:susgeh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iepk.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\iepu.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\ieuv.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\iewt.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\ipoo.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\ipun.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\javaij32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\javaqo32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\mfcav32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\mfcfs.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\mfcps32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\mfcwy.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\msvw.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\mszs.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\netvn32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\nthb32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntyg32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\n_driyng.dat -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\n_fyxuaw.txt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\n_hdydjc.dat -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\n_igobax.txt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\n_kolrug.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\n_qkshgq.txt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\n_qpflhm.txt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\n_rvjrho.dat -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\n_smsrgk.txt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ODBCINST.INI:hmqxb -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:lqwggl -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:sgtqy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q329048.log:digmbw -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\qilob.txt:zenana -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\REGLOCS.OLD:rfgnpc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Rhododendron.bmp:wdkzyj -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\River Sumida.bmp:sdvggc -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\Satellite.scr:diobb -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\sbgru.txt:kenmie -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:pedesl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkve32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\smscfg.ini:xclsxu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\swupdate.ini:qdefze -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\system32:yuaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\addec32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\apidb.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\apioq32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\apiru32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\atlls.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\atlyp32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\creq.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\crik32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\crkw32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\crlm.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\croj.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\d3ed32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\d3oj32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\d3ru.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\iewq.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\ipeg.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\iplt32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\ipzo32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\javagz.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\javatn.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\mfcry32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\msof32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\netao32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\neter.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\netgw32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\neton.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\netzx.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\ntni.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\ntxk.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\ntyc32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\sdktf32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\sdkwg32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\sdkwy32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\system32\winaz.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\T30DebugLogFile.txt:owuosz -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\Toshiba.bmp:behqvr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Toshiba.bmp:hwmbub -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Toshiba.bmp:szzjsh -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\TSession.reg:wgowmg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\tufbk.txt:lzjomr -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\vbaddin.ini:kgcrhu -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\vbaddin.ini:myhahy -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\vfhsb.txt:wnxpxh -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\vtuhi.dat:chuwjf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wiaservc.log:ooquzs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winiq.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\winkg32.dll -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\winzw32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WMSysPr9.prx:iuwhce -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:bcnmy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:bdelt -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:bdxid -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:bglte -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:bmuvz -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:bomyt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:cflenw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:ckqjh -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:cqomtf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:crgebk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:cwxomo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:dfgakk -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:divuen -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:dmlovr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:dwjrmf -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:eduram -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:emhbp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:erqhvk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:esnwq -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:ewrer -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:ezlla -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:fetud -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:ffzjj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:fqrqgp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:ftjao -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:gjkfwx -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:gmytx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:gtfxih -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:gxynhj -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:havvwi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:hoqxn -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:ichqtu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:ippjk -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:iturny -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:jgeef -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:jqvhyu -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:kiuqj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:knswyf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:kzipv -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:likpkc -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:lltjsp -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:lqxcta -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:meygx -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:oenwdp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:oqaplo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:oqski -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:oqszbv -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:ormozo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:otycuz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:pbolyj -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:pgjzt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:pyvwn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:qgjiun -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:qibcc -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:qjmxh -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:qniip -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:qsjltw -> Trojan.Agent.em : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:quvsk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:rpsjm -> TrojanDownloader.Agent.pe : Cleaned with backup
C:\WINDOWS\{233D3878-6152-4FE9-9402-AA104326305E}.dat:rrrct -> TrojanDownloader.Agent.bq : Cleaned with backup

::Report End

AND HERE IS THE HJT

Logfile of HijackThis v1.99.1
Scan saved at 6:58:44 PM, on 9/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoctrl.exe
C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoguard.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\TDispVol.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\Dad\Desktop\Protection\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vuxxgeych...fDszevKlAlu.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ltozamsrc...kvjR9Pg38Nk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vualw.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FA742568-1B11-D6C6-83AC-90866C94CAEA} - C:\WINDOWS\ntpc32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [chin axis manager flag] C:\Documents and Settings\All Users\Application Data\City proc chin axis\Barb Bind.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWFX5] "C:\WINDOWS\Downloaded Program Files\UWFX5NetInstaller.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - McAfee.com Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks

#6
Rawe

Posted 04 September 2005 - 11:45 AM

Visiting Staff

Member
4,746 posts

Looks like the programs did some major cleanup.. :tazz:

Download cureit;
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Run drweb - cureit
Double-click the "drweb-cureit.exe" and click "ok" in the prompt window that will open, asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it finds, and when it says "done" in the lower left corner click on all your drive's.
A red dot will mark the selected drive(s) . Then hit the pedestrian who now has turned green.
Click on the green man in the right corner, it will scan ALL your drive's, hit yes to all.

Reboot.

Run this online scan once rebooted and post it's results here in a reply:

Panda Activescan

#7
jqs27

Posted 04 September 2005 - 02:31 PM

Member

Topic Starter
Member
47 posts

Hi Rawe,

Sorry for taking so long but I had problems running the Panda ActiveScan.

Anyhow here is a copy of the log after running the active scan

Incident Status Location

Adware:adware/searchaid No disinfected C:\WINDOWS\SYSTEM32\iprp.exe
Dialer:dialer.bdf No disinfected C:\WINDOWS\SYSTEM32\newdial.exe
Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\newdial1.exe
Dialer:dialer.xc No disinfected C:\WINDOWS\SYSTEM32\paydial.exe
Adware:adware/navipromo No disinfected C:\WINDOWS\SYSTEM32\sdkaf32.exe
Adware:adware/midaddle No disinfected C:\WINDOWS\addit.exe
Adware:adware/cws No disinfected C:\WINDOWS\apphi32.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\City proc chin axis\Barb Bind.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Dad\Application Data\Browse idol\creative send cdrom great.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Dad\Application Data\Browse idol\Each mix flaw.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Dad\Application Data\Browse idol\qrdnrnvn.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Dad\Application Data\support the\draw safe.exe
Adware:Adware/NavHelper No disinfected C:\Documents and Settings\Dad\My Documents\Data\Alex_Astrid_Dod\Alex\setup_ares.exe
Possible Virus. No disinfected C:\Program Files\Panasonic\CNDVDLEforMDVS\CNSHDDIF.dll

Thanks for your help on this

#8
Rawe

Posted 05 September 2005 - 06:26 AM

Visiting Staff

Member
4,746 posts

1) Please download the Killbox by Option^Explicit.

2) Save it to your desktop.

3) Run Killbox.exe.

4) Select "Delete on Reboot".

5) Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\SYSTEM32\iprp.exe
C:\WINDOWS\SYSTEM32\newdial.exe
C:\WINDOWS\SYSTEM32\newdial1.exe
C:\WINDOWS\SYSTEM32\paydial.exe
C:\WINDOWS\SYSTEM32\sdkaf32.exe
C:\WINDOWS\addit.exe
C:\WINDOWS\apphi32.exe
C:\Documents and Settings\All Users\Application Data\City proc chin axis\Barb Bind.exe
C:\Documents and Settings\Dad\Application Data\Browse idol\creative send cdrom great.exe
C:\Documents and Settings\Dad\Application Data\Browse idol\Each mix flaw.exe
C:\Documents and Settings\Dad\Application Data\Browse idol\qrdnrnvn.exe
C:\Documents and Settings\Dad\Application Data\support the\draw safe.exe
C:\Documents and Settings\Dad\My Documents\Data\Alex_Astrid_Dod\Alex\setup_ares.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

Reboot.

Post a fresh HiJackThis log once finished. :tazz:

#9
jqs27

Posted 05 September 2005 - 09:43 AM

Member

Topic Starter
Member
47 posts

Downloaded killbox and run the program with the file names indicated. That said I still have the same problems when i log on.

Here is the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 5:38:56 PM, on 9/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoctrl.exe
C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\TDispVol.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\Dad\Desktop\Protection\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vuxxgeych...fDszevKlAlu.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ltozamsrc...kvjR9Pg38Nk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vualw.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FA742568-1B11-D6C6-83AC-90866C94CAEA} - C:\WINDOWS\ntpc32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [chin axis manager flag] C:\Documents and Settings\All Users\Application Data\City proc chin axis\Barb Bind.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Cheers

#10
Rawe

Posted 05 September 2005 - 10:07 AM

Visiting Staff

Member
4,746 posts

Do you have Messenger Plus!3 installed?

#11
jqs27

Posted 05 September 2005 - 10:18 AM

Member

Topic Starter
Member
47 posts

I have Windows Messenger installed. Don't know if it's 3 plus though. How can I check this

#12
Rawe

Posted 05 September 2005 - 10:27 AM

Visiting Staff

Member
4,746 posts

Nevermind.

Let's see if we can remove Lop with couple of scanners..

First:

Download the latest version of Ad-Aware from HERE (if you already have Ad-Aware installed, make sure that it is the latest version 1.0.6 and always go online and update it before you run it).

If it's NOT the version 1.0.6, can you then uninstall your current version/delete folder: C:\Program Files\Lavasoft & empty recycle bin. Finally install the latest version.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon, Click "connect", Click "OK", Click "Finish".)

IF you are having problems with the updating, get the manual updates here; http://download.lava...public/defs.zip

2. Set up the Configurations as follows:

Click the Gear wheel at the top of the Ad-Aware window
Click General > Safety & Settings: Check (Green) all three.
Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

3. Click on "Proceed"
4. Click on "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to every "target family" for removal.
11. Click "Next", Click "OK".
12. Reboot.

Next,

Download SpyBot S&D, Click Here

IF you have an older version of SpyBot installed, please do the following first:

1. Undo immunization
2. If SDHelper and TeaTimer are enabled, deactivate them first.
3. If Opera Browser is installed, de-select protection for Opera Immunity
4. Uninstall old version of Spybot S&D
5. Reboot

Then install the SpyBot S&D. (NOTE: Do NOT install TeaTimer at this time!)

When installed, launch SpyBot. Access the menu named "Mode". Choose "Advanced Mode" and confirm with yes if a warning pops up.
Next, go to the "Settings" menu and access "Settings" from the list. Scroll down and look for the following setting (Make sure you check the box next to it, to make sure the setting is working.) "Display Available Beta- versions".

Then search for updates. Install ALL updates. Click "Immunize", then "Immunize" again.
Next, access the "Settings" yet again, choose to go to "Ignore Products" and UNcheck (DEselect) EVERY check box.

Next, do the scan, removing all objects found in RED color.

Exit SpyBot.

Finally:

Clean out temporary files:

Click Start -> Run and type in: cleanmgr
Click "Ok".
Let it scan your system.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only ones checked.
Click "OK" to remove them.
Click "Yes" to confirm the deletion.

Then reboot and post a fresh HiJackThis log. :tazz:

#13
jqs27

Posted 05 September 2005 - 11:31 AM

Member

Topic Starter
Member
47 posts

Followed the instructions: Lavasoft, spybot, cleanmgr and here is the latest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:28:48 PM, on 9/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoctrl.exe
C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\TDispVol.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Documents and Settings\Dad\Desktop\Protection\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vuxxgeych...fDszevKlAlu.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ltozamsrc...kvjR9Pg38Nk.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vualw.dll/sp.html#12047
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.toshiba.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FA742568-1B11-D6C6-83AC-90866C94CAEA} - C:\WINDOWS\ntpc32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
O4 - HKLM\..\Run: [TSysSMon] c:\toshiba\sysstability\tsyssmon.exe /detect
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 03
O4 - HKLM\..\Run: [chin axis manager flag] C:\Documents and Settings\All Users\Application Data\City proc chin axis\Barb Bind.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Dad\Desktop\Protection\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Cheers

#14
Rawe

Posted 05 September 2005 - 11:38 AM

Visiting Staff

Member
4,746 posts

Ok, I want you to uninstall "Spyware Cleaner".

Reason, suspect/rogue program, see more here:

http://www.spywarewa...nti-spyware.htm

IF you decide to uninstall the program, please do the following--

Go to -> Start -> Control Panel -> Add/Remove programs and uninstall:

SpywareCleaner

Next, navigate to, and delete this folder: C:\Program Files\SpywareCleaner\

Then empty recycle bin.

After that:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directoy as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

#15
jqs27

Posted 05 September 2005 - 12:03 PM

Member

Topic Starter
Member
47 posts

Hi Rawe,

Did what you suggested. Please find herewith copy of the session log after running WebRoot SpySweeper

********
7:53 PM: |··· Start of Session, Monday, September 05, 2005 ···|
7:53 PM: Spy Sweeper started
7:53 PM: Sweep initiated using definitions version 526
7:53 PM: Starting Memory Sweep
7:56 PM: Memory Sweep Complete, Elapsed Time: 00:03:06
7:56 PM: Starting Registry Sweep
7:56 PM: Found Trojan Horse: agent.ay downloader
7:56 PM: HKCR\clsid\{088bb196-6676-cb49-248d-e08b115e7e10}\ (2 subtraces) (ID = 103335)
7:56 PM: HKLM\software\classes\clsid\{088bb196-6676-cb49-248d-e08b115e7e10}\ (2 subtraces) (ID = 103344)
7:56 PM: Found Adware: cws_ns3 hijacker
7:56 PM: HKU\WRSS_Profile_S-1-5-21-3285162853-4141216190-3951289022-1005\software\microsoft\internet explorer\main\ || search bar (ID = 123390)
7:56 PM: HKU\WRSS_Profile_S-1-5-21-3285162853-4141216190-3951289022-1005\software\microsoft\internet explorer\main\ || search page (ID = 123391)
7:56 PM: Found Adware: fastlook hijacker
7:56 PM: HKLM\software\microsoft\windows\currentversion\run\ || iexplore.exe (ID = 126410)
7:56 PM: Found Adware: navexcel navhelper
7:56 PM: HKU\WRSS_Profile_S-1-5-21-3285162853-4141216190-3951289022-1005\software\navexcel ltd\ (13 subtraces) (ID = 135548)
7:56 PM: Found Trojan Horse: trojan-downloader-silly
7:56 PM: HKCR\clsid\{a9249c0b-bcbd-a4ab-169f-99cb9fdf8eaf}\ (2 subtraces) (ID = 144751)
7:56 PM: HKLM\software\classes\clsid\{a9249c0b-bcbd-a4ab-169f-99cb9fdf8eaf}\ (2 subtraces) (ID = 144754)
7:56 PM: Found Trojan Horse: trojan_downloader_tibser
7:56 PM: HKCR\clsid\{4ee6b1b9-e3c3-db03-16bb-541af46efca3}\ (2 subtraces) (ID = 145073)
7:56 PM: HKCR\clsid\{28f3e407-f254-5d75-c0d9-a8f22cc3eac5}\ (2 subtraces) (ID = 145076)
7:56 PM: HKCR\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\ (2 subtraces) (ID = 145084)
7:56 PM: HKCR\clsid\{d29fdf9c-92f0-18bd-01ed-22a5dbb07081}\ (2 subtraces) (ID = 145087)
7:56 PM: HKCR\clsid\{e4c72eda-8bdb-7d77-0f8c-37f041df909d}\ (2 subtraces) (ID = 145088)
7:56 PM: HKLM\software\classes\clsid\{4ee6b1b9-e3c3-db03-16bb-541af46efca3}\ (2 subtraces) (ID = 145090)
7:56 PM: HKLM\software\classes\clsid\{28f3e407-f254-5d75-c0d9-a8f22cc3eac5}\ (2 subtraces) (ID = 145093)
7:56 PM: HKLM\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\ (2 subtraces) (ID = 145101)
7:56 PM: HKLM\software\classes\clsid\{d29fdf9c-92f0-18bd-01ed-22a5dbb07081}\ (2 subtraces) (ID = 145104)
7:56 PM: HKLM\software\classes\clsid\{e4c72eda-8bdb-7d77-0f8c-37f041df909d}\ (2 subtraces) (ID = 145105)
7:57 PM: Found Adware: cws_tiny0
7:57 PM: HKLM\software\classes\clsid\{21f86fc9-9816-df79-1758-957e35b249b5}\ (2 subtraces) (ID = 721817)
7:57 PM: Registry Sweep Complete, Elapsed Time:00:00:10
7:57 PM: Starting Cookie Sweep
7:57 PM: Found Spy Cookie: yieldmanager cookie
7:57 PM: [email protected][2].txt (ID = 3751)
7:57 PM: Found Spy Cookie: adultfriendfinder cookie
7:57 PM: dad@adultfriendfinder[1].txt (ID = 2165)
7:57 PM: Found Spy Cookie: atwola cookie
7:57 PM: dad@atwola[1].txt (ID = 2255)
7:57 PM: Found Spy Cookie: burstnet cookie
7:57 PM: dad@burstnet[2].txt (ID = 2336)
7:57 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:57 PM: Starting File Sweep
7:59 PM: Warning: Failed to read file "c:\documents and settings\dad\local settings\temp\~df22e0.tmp". System Error. Code: 32.
The process cannot access the file because it is being used by another process
7:59 PM: Found Adware: coolwebsearch (cws)
7:59 PM: search the web.url (ID = 54454)
7:59 PM: only sex website.url (ID = 54373)
7:59 PM: seven days of free [bleep].url (ID = 54472)
7:59 PM: credit counseling.url (ID = 130668)
7:59 PM: insurance home.url (ID = 130676)
7:59 PM: mortgage life insurance.url (ID = 130681)
7:59 PM: help desk software.url (ID = 130675)
7:59 PM: ab scissor.url (ID = 130666)
7:59 PM: videos.url (ID = 130694)
7:59 PM: what is hydrocodone.url (ID = 130695)
7:59 PM: online gambling casino.url (ID = 130684)
7:59 PM: refinancing my mortgage.url (ID = 130691)
7:59 PM: debt credit card.url (ID = 130671)
7:59 PM: fha.url (ID = 130673)
7:59 PM: loan for debt consolidation.url (ID = 130677)
7:59 PM: health insurance.url (ID = 130674)
7:59 PM: personal loans online.url (ID = 130688)
7:59 PM: payroll advance.url (ID = 130687)
7:59 PM: marketing email.url (ID = 130679)
7:59 PM: prescription drugs rx online.url (ID = 130690)
7:59 PM: credit report.url (ID = 130669)
7:59 PM: tahoe vacation rental.url (ID = 130692)
7:59 PM: escorts.url (ID = 130672)
7:59 PM: Found Trojan Horse: dcharge
7:59 PM: winrt.exe (ID = 57560)
7:59 PM: order phentermine.url (ID = 130686)
7:59 PM: mortgage insurance.url (ID = 130680)
7:59 PM: personal loans with bad credit.url (ID = 130689)
7:59 PM: crm software.url (ID = 130670)
7:59 PM: nevada corporations.url (ID = 130682)
7:59 PM: unsecured bad credit loans.url (ID = 130693)
7:59 PM: loan for people with bad credit.url (ID = 130678)
7:59 PM: broadband comparison.url (ID = 130667)
7:59 PM: online betting site.url (ID = 130683)
7:59 PM: online instant loan.url (ID = 130685)
7:59 PM: File Sweep Complete, Elapsed Time: 00:02:39
7:59 PM: Full Sweep has completed. Elapsed time 00:06:02
7:59 PM: Traces Found: 100
8:00 PM: Removal process initiated
8:00 PM: Quarantining All Traces: agent.ay downloader
8:00 PM: Quarantining All Traces: cws_ns3 hijacker
8:00 PM: Quarantining All Traces: fastlook hijacker
8:00 PM: Quarantining All Traces: navexcel navhelper
8:00 PM: Quarantining All Traces: trojan-downloader-silly
8:00 PM: Quarantining All Traces: trojan_downloader_tibser
8:00 PM: Quarantining All Traces: cws_tiny0
8:00 PM: Quarantining All Traces: yieldmanager cookie
8:00 PM: Quarantining All Traces: adultfriendfinder cookie
8:00 PM: Quarantining All Traces: atwola cookie
8:00 PM: Quarantining All Traces: burstnet cookie
8:00 PM: Quarantining All Traces: coolwebsearch (cws)
8:00 PM: Quarantining All Traces: dcharge
8:01 PM: Removal process completed. Elapsed time 00:01:18
********
7:52 PM: |··· Start of Session, Monday, September 05, 2005 ···|
7:52 PM: Spy Sweeper started
7:52 PM: Your spyware definitions have been updated.
7:53 PM: |··· End of Session, Monday, September 05, 2005 ···|

Cheers