[Dlsnj]

Hi all,
I have run almost all the program that you have asked me to and fixed what they found. Problem is still happening. Computer is really slow and programs are closing all by themselves. I still get winfixer popups. I have many hours in this and I am totally frustrated. The only step that I could not do is an online scan as they would not load. But I have run PCcillin which is on my computer. Any help that you can give me would be greatly appreciated. Here is my Hijack log.
Thanks,
Dawn

Logfile of HijackThis v1.99.1
Scan saved at 3:04:09 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\pcclient.exe
C:\HijackHJT\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\temp\aubin\patch.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://joemac.net/Su...CameraPage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.safehavenpc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://joemac.net/Su...CameraPage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\ljhgf.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\ljjjk.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127796192\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Losi] C:\Documents and Settings\Mom.MAINHOME\Application Data\tbas.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.safehavenpc.com
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://64.143.186.13...Q/bin/WebIQ.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www1.pcpitsto...virus/PCPAV.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://www.lifescan...tdms/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.149.234.19...sCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://64.154.241.30/wg_webeye.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://216.157.26.3/svideo3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup152.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?315
O20 - Winlogon Notify: ljhgf - C:\WINDOWS\system32\ljhgf.dll
O20 - Winlogon Notify: ljjjk - ljjjk.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by Dlsnj, 07 January 2006 - 02:38 PM.

[Advertisements]

Hi Dlsnj

Welcome to G2G!

* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Click here to download VundoFix.exe.

• Save the VundoFix.exe file to your desktop.
• Double-click VundoFix.exe to extract the files.
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning that should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

  
  
• At this point press the Enter key on your keyboard one time.
  
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\system32\ljhgf.dll
• Press Enter to continue with the fix.
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\fghjl.*
  
• Press Enter to continue with the fix.
  
  
• If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.
  
  
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  
  
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  • O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\ljhgf.dll
  • O20 - Winlogon Notify: ljhgf - C:\WINDOWS\system32\ljhgf.dll
  • O20 - Winlogon Notify: ljjjk - ljjjk.dll (file missing)
  
  
• After you have fixed these items, close Hijackthis.
  
  
• Press enter to exit the program then manually reboot your computer.
  
  
• Once your machine reboots please continue with the instructions below.

*Download Cleanup from Here

• Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
• Click the Options... button on the right.
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Cleanup! All Users
  Click OK
• Press the CleanUp! button to start the program.
• It may ask you to reboot at the end, click NO.

* Run ActiveScan online virus scan here

• When the scan is finished, anything that it cannot clean have it delete it.
• Save the results from the scan!
• Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

[Flrman1]

Hi Dlsnj

Welcome to G2G!

* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Click here to download VundoFix.exe.

• Save the VundoFix.exe file to your desktop.
• Double-click VundoFix.exe to extract the files.
• This will create a VundoFix folder on your desktop.
• After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
• Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
• You will first be presented with a warning that should look like this
  

  VundoFix V2.15 by Atri
  By using VundoFix you agree that you are doing so at your own risk
  Press enter to continue....
  
  

  
  
• At this point press the Enter key on your keyboard one time.
  
  
• Next you will see:
  

  Please Type in the filepath as instructed by the forum staff
  and then press enter:

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):
  • C:\WINDOWS\system32\ljhgf.dll
• Press Enter to continue with the fix.
  
• Next you will see:
  

  Please type in the second filepath as instructed by the forum
  staff then press enter:

  
  
• At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\fghjl.*
  
• Press Enter to continue with the fix.
  
  
• If you have a script blocker running, you may get a warning about a malicious script. Allow the script to run. It is not malicious.
  
  
• The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  
  
• In HiJackThis, please place a check next to the following items and click FIX CHECKED:
  • O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\ljhgf.dll
  • O20 - Winlogon Notify: ljhgf - C:\WINDOWS\system32\ljhgf.dll
  • O20 - Winlogon Notify: ljjjk - ljjjk.dll (file missing)
  
  
• After you have fixed these items, close Hijackthis.
  
  
• Press enter to exit the program then manually reboot your computer.
  
  
• Once your machine reboots please continue with the instructions below.

*Download Cleanup from Here

• Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
• Click the Options... button on the right.
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Cleanup! All Users
  Click OK
• Press the CleanUp! button to start the program.
• It may ask you to reboot at the end, click NO.

* Run ActiveScan online virus scan here

• When the scan is finished, anything that it cannot clean have it delete it.
• Save the results from the scan!
• Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

[Dlsnj]

Hi Flrman1,
Thanks for your quick response. I did all that you asked except Running ActiveScan as it will not let me download the activeX. I also had problems with safe mode. The desktop would not show up so I had to access Vundofix on the desktop via ControlAltDelete file menu and clicking on NewTask(run). The other day I had trouble getting to ControlAltDelete saying that it was disabled and only the administrator could run it, Even though I am the administrator. Any other suggestions would be appreciated.
Here is the error message ffrom activescan:

Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are:

Not allowing the application's ActiveX control to be downloaded.

Problems with the Internet connection.

The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... Try again

I tried 3xs still no. Here is the other logs that you requested.
The items on the hijack log you asked me to remove are still there even though I checked them off and hit fix checked.

Logfile of HijackThis v1.99.1
Scan saved at 4:55:37 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

--------------------------------------------------------------------------------------



Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MemoryBoost\MemoryBoost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1127796192\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackHJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://joemac.net/Su...CameraPage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.safehavenpc.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://joemac.net/Su...CameraPage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\ljhgf.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\ljjjk.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127796192\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Losi] C:\Documents and Settings\Mom.MAINHOME\Application Data\tbas.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.safehavenpc.com
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://64.143.186.13...Q/bin/WebIQ.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www1.pcpitsto...virus/PCPAV.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://www.lifescan...tdms/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.149.234.19...sCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://64.154.241.30/wg_webeye.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://216.157.26.3/svideo3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup152.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?315
O20 - Winlogon Notify: ljhgf - C:\WINDOWS\system32\ljhgf.dll (file missing)
O20 - Winlogon Notify: ljjjk - ljjjk.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


And here is the vondofix log:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\system32\ljhgf.dll

The second filepath entered was C:\WINDOWS\system32\fghjl.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 152 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe


Killing PID 224 'winlogon.exe'
Killing PID 224 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\system32\ljhgf.dll Deleted sucessfully.
C:\WINDOWS\system32\fghjl.* Deleted sucessfully.

Fixing Registry

[Flrman1]

** Before you proceed with the removal directions below you need to turn off MS Anti-Spyware's realtime protection as it will interfere with the changes we are trying to make.

• Open MS Anti-Spyware and click on Options > Settings.
• Click on "Realtime Protection" in the left pane.
• Remove the check by these:
  • Enable the Microsoft Security Agents on startup (recommended)
  • Enable real-time spyware threat protection (recommended)
• Click "Save"
• Now right click the MS Anti-spyware icon in your system tray and choose "Shutdown Microsoft Anti-Spyware"
• Leave it disabled until we are finished here.

* Go to Add/Remove programs and uninstall Viewpoint manager.


* I also recommend that you uninstall Weatherbug. It is adware. Check this out for info on Weatherbug and make your own decision:

http://www.pchell.co...eatherbug.shtml

Here are two adware free alternatives:

http://www.tropicdesigns.net/ -----> I use this one.

http://www.singerscreations.com/

Weatherbug can easily be removed via Add/Remove programs.




* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R3 - Default URLSearchHook is missing

O2 - BHO: ATLDistrib Object - {93C6313C-9DB4-4694-8BD0-E378C573A9AD} - C:\WINDOWS\system32\ljhgf.dll (file missing)

O2 - BHO: (no name) - {EA32FB3B-21C9-42cc-B8EF-01A9B28EDB0D} - C:\WINDOWS\system32\ljjjk.dll (file missing)

O4 - HKCU\..\Run: [Losi] C:\Documents and Settings\Mom.MAINHOME\Application Data\tbas.exe

O20 - Winlogon Notify: ljhgf - C:\WINDOWS\system32\ljhgf.dll (file missing)

O20 - Winlogon Notify: ljjjk - ljjjk.dll (file missing)


* Next in Hijack This and click on the Config button in the lower right corner. In the next window click on the Misc Tools button at the top. Now click on the Delete a file on reboot... button. Either type or copy and paste this line in the "File name" box:

C:\Documents and Settings\Mom.MAINHOME\Application Data\tbas.exe

You will be asked if you want to restart. Click Yes.

After restarting, run Kaspersky online virus scan here.

When given the option, choose the "Extended database" for the scan.

When the scan is finished, Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan

Edited by Flrman1, 07 January 2006 - 04:28 PM.

[Dlsnj]

Ok computer is definitly a little faster on startup/shutdown. also better when opening and closing programs but still a lot of memory being used up. Also want to add that when I reboot and the windows startup screen comes up, where you click which user, well that is gone and has been gone since before we started, but i forgot to tell you that. It just says welcome. Maybe that is why I am having problems with administrator. I did all except the kaspersky scanner. It would not load error message is:

Failed to load Kaspersky online scanner ActiveX control!
You must have administrative rights on this computer; you must
also have Internet Explorer security settings set to medium!

I am the administrator and the IE settings are medium. Is it possible a virus took over and made themselves administrator. I have posted my PCcillin logs below:

"Virus Scan","2006/01/03","MAINHOME"
"Time","Event","Source Type","Virus Name","File Name","First Action","Second Action"
"07:54","Manual Scan","File","TROJ_EXITWIN.F","C:\Documents and Settings\Mom.MAINHOME\Local Settings\Temp\rsysinit.exe","Quarantine Success",""

"Virus Scan","2005/12/28","MAINHOME"
"Time","Event","Source Type","Virus Name","File Name","First Action","Second Action"
"16:30","Real-time Protection","File","ADW_DCTOOLBAR.A","C:\WINDOWS\TIMESSQUARE.EXE","Deny Access",""
"16:31","Real-time Protection","File","ADW_DCTOOLBAR.A","C:\WINDOWS\TIMESSQUARE.EXE","Deny Access",""
"17:41","Real-time Protection","File","ADW_DCTOOLBAR.A","C:\windows\timessquare.exe","Deny Access",""
"18:55","Manual Scan","File","HTML_ALPHX.C","C:\Documents and Settings\Lauren.MAINHOME\Local Settings\Temporary Internet Files\Content.IE5\BZ9RFPOW\iav[1].hta","Quarantine Success",""
"18:55","Manual Scan","File","HTML_ALPHX.C","C:\Documents and Settings\Lauren.MAINHOME\Local Settings\Temporary Internet Files\Content.IE5\BZ9RFPOW\iav[2].hta","Quarantine Success",""
"18:55","Manual Scan","File","HTML_ALPHX.C","C:\Documents and Settings\Lauren.MAINHOME\Local Settings\Temporary Internet Files\Content.IE5\BZ9RFPOW\iav[3].hta","Quarantine Success",""
"19:15","Manual Scan","File","TROJ_DLOADER.ATW","C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\05YN0X63\MTE3NDI6ODoxNg[1].exe","Quarantine Success",""
"19:15","Manual Scan","File","TROJ_CLICKER.FC","C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\CXYFCHUN\adtech2006a[1].exe","Quarantine Success",""
"19:15","Manual Scan","File","TROJ_DRSMARTL.A","C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ODQFGTU7\drsmartload[1].exe","Quarantine Success",""
"19:15","Manual Scan","File","TROJ_TSUPDATE.G","C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ODQFGTU7\stub_113_4_0_4_0[1].exe","Quarantine Success",""
"19:21","Manual Scan","File","JAVA_CLOADER.E","A.class (C:\Documents and Settings\Mom.MAINHOME\.jpi_cache\jar\1.0\ar.jar-24cf9bc4-12893560.zip)","Quarantine Fail",""
"19:21","Manual Scan","File","---","C:\Documents and Settings\Mom.MAINHOME\.jpi_cache\jar\1.0\ar.jar-24cf9bc4-12893560.zip","Quarantine Success",""
"19:21","Manual Scan","File","JAVA_BYTEVER.A","Colors.class (C:\Documents and Settings\Mom.MAINHOME\.jpi_cache\jar\1.0\archive.jar-18c96186-17a10aea.zip)","Quarantine Fail",""
"19:21","Manual Scan","File","---","C:\Documents and Settings\Mom.MAINHOME\.jpi_cache\jar\1.0\archive.jar-18c96186-17a10aea.zip","Quarantine Success",""
"19:54","Manual Scan","File","TROJ_DRSMARTL.A","C:\drsmartload1.exe","Quarantine Success",""
"19:56","Manual Scan","File","TROJ_DLOADER.ATW","C:\MTE3NDI6ODoxNg.exe","Quarantine Success",""
"20:34","Manual Scan","File","TROJ_TSUPDATE.G","C:\stub_113_4_0_4_0.exe","Quarantine Success",""
"23:05","Real-time Protection","File","ADW_DCTOOLBAR.A","C:\WINDOWS\timessquare.exe","Deny Access",""

Virus Scan","2005/12/29","MAINHOME"
"Time","Event","Source Type","Virus Name","File Name","First Action","Second Action"
"03:26","Real-time Protection","File","ADW_DCTOOLBAR.A","C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\05YN0X63\timessquare[1].exe","Deny Access",""
"03:26","Real-time Protection","File","ADW_DCTOOLBAR.A","C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\05YN0X63\TIMESS~1.EXE","Deny Access",""
"07:38","Real-time Protection","File","ADW_DCTOOLBAR.A","C:\WINDOWS\timessquare.exe","Deny Access",""
"07:38","Real-time Protection","File","ADW_DCTOOLBAR.A","C:\WINDOWS\TIMESS~1.EXE","Deny Access",""
"07:39","Real-time Protection","File","ADW_ZQUEST.A","C:\WINDOWS\z00096.exe","Deny Access",""
"08:14","Real-time Protection","File","ADW_ZQUEST.A","C:\WINDOWS\DH.dll","Deny Access",""
"08:16","Real-time Protection","File","ADW_ZQUEST.A","C:\WINDOWS\DH.dll","Deny Access",""
"08:26","Real-time Protection","File","ADW_ZQUEST.A","C:\WINDOWS\Z00096.EXE","Deny Access",""
"08:27","Real-time Protection","File","ADW_ZQUEST.A","C:\WINDOWS\DH.dll","Deny Access",""
"08:29","Real-time Protection","File","ADW_ZQUEST.A","C:\WINDOWS\DH.dll","Deny Access",""
"08:47","Real-time Protection","File","ADW_ZQUEST.A","C:\WINDOWS\DH.DLL","Deny Access",""
"11:04","Real-time Protection","File","ADW_ZQUEST.A","C:\WINDOWS\DH.dll","Deny Access",""
"11:04","Real-time Protection","File","ADW_ZQUEST.A","C:\WINDOWS\DH.dll","Deny Access",""

Here is my spysweeper logs:

*******
1:19 PM: | Start of Session, Thursday, January 05, 2006 |
1:19 PM: Spy Sweeper started
1:19 PM: Sweep initiated using definitions version 595
1:19 PM: Starting Memory Sweep
1:27 PM: Memory Sweep Complete, Elapsed Time: 00:07:52
1:27 PM: Starting Registry Sweep
1:28 PM: Registry Sweep Complete, Elapsed Time:00:00:56
1:28 PM: Starting Cookie Sweep
1:28 PM: Found Spy Cookie: specificclick.com cookie
1:28 PM: [email protected][1].txt (ID = 3400)
1:28 PM: Found Spy Cookie: apmebf cookie
1:28 PM: mom@apmebf[2].txt (ID = 2229)
1:28 PM: Found Spy Cookie: ic-live cookie
1:28 PM: mom@ic-live[1].txt (ID = 2821)
1:28 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
1:28 PM: Starting File Sweep
2:55 PM: File Sweep Complete, Elapsed Time: 01:26:30
2:55 PM: Full Sweep has completed. Elapsed time 01:35:36
2:55 PM: Traces Found: 3
5:22 PM: Removal process initiated
5:22 PM: Quarantining All Traces: apmebf cookie
5:22 PM: Quarantining All Traces: ic-live cookie
5:22 PM: Quarantining All Traces: specificclick.com cookie
5:22 PM: Removal process completed. Elapsed time 00:00:49
6:36 PM: Download has been canceled at your request.
6:37 PM: Deletion from quarantine initiated
6:37 PM: Processing: 66.246.209 cookie
6:37 PM: Processing: about cookie
6:37 PM: Processing: adserver cookie
6:37 PM: Processing: apmebf cookie
6:37 PM: Processing: ask cookie
6:37 PM: Processing: atwola cookie
6:37 PM: Processing: bravenet cookie
6:37 PM: Processing: centrport net cookie
6:37 PM: Processing: dollarrevenue
6:37 PM: Processing: falkag cookie
6:37 PM: Processing: ic-live cookie
6:37 PM: Processing: monstermarketplace cookie
6:37 PM: Processing: nextag cookie
6:37 PM: Processing: partypoker cookie
6:37 PM: Processing: reliablestats cookie
6:37 PM: Processing: specificclick.com cookie
6:37 PM: Processing: statcounter cookie
6:37 PM: Processing: surfsidekick
6:37 PM: Processing: toplist cookie
6:37 PM: Processing: tribalfusion cookie
6:37 PM: Processing: winantiviruspro cookie
6:37 PM: Deletion from quarantine completed. Elapsed time 00:00:01
********
12:21 PM: | Start of Session, Wednesday, January 04, 2006 |
12:21 PM: Spy Sweeper started
12:21 PM: Sweep initiated using definitions version 595
12:21 PM: Starting Memory Sweep
12:29 PM: Memory Sweep Complete, Elapsed Time: 00:07:49
12:29 PM: Starting Registry Sweep
12:30 PM: Registry Sweep Complete, Elapsed Time:00:01:37
12:30 PM: Starting Cookie Sweep
12:30 PM: Found Spy Cookie: 2o7.net cookie
12:30 PM: mom@2o7[1].txt (ID = 1957)
12:30 PM: Found Spy Cookie: 66.246.209 cookie
12:30 PM: [email protected][1].txt (ID = 1997)
12:30 PM: Found Spy Cookie: about cookie
12:30 PM: mom@about[2].txt (ID = 2037)
12:30 PM: Found Spy Cookie: specificclick.com cookie
12:30 PM: [email protected][2].txt (ID = 3400)
12:30 PM: Found Spy Cookie: apmebf cookie
12:30 PM: mom@apmebf[1].txt (ID = 2229)
12:30 PM: Found Spy Cookie: falkag cookie
12:30 PM: [email protected][2].txt (ID = 2650)
12:30 PM: Found Spy Cookie: ask cookie
12:30 PM: mom@ask[1].txt (ID = 2245)
12:30 PM: Found Spy Cookie: atwola cookie
12:30 PM: mom@atwola[1].txt (ID = 2255)
12:30 PM: Found Spy Cookie: bravenet cookie
12:30 PM: mom@bravenet[1].txt (ID = 2322)
12:30 PM: Found Spy Cookie: centrport net cookie
12:30 PM: mom@centrport[1].txt (ID = 2374)
12:30 PM: [email protected][1].txt (ID = 2038)
12:30 PM: Found Spy Cookie: ic-live cookie
12:30 PM: mom@ic-live[1].txt (ID = 2821)
12:30 PM: Found Spy Cookie: monstermarketplace cookie
12:30 PM: mom@monstermarketplace[1].txt (ID = 3006)
12:30 PM: Found Spy Cookie: nextag cookie
12:30 PM: mom@nextag[1].txt (ID = 5014)
12:30 PM: Found Spy Cookie: partypoker cookie
12:30 PM: mom@partypoker[2].txt (ID = 3111)
12:30 PM: Found Spy Cookie: statcounter cookie
12:30 PM: mom@statcounter[1].txt (ID = 3447)
12:30 PM: Found Spy Cookie: reliablestats cookie
12:30 PM: [email protected][1].txt (ID = 3254)
12:30 PM: Found Spy Cookie: toplist cookie
12:30 PM: mom@toplist[1].txt (ID = 3557)
12:30 PM: Found Spy Cookie: tribalfusion cookie
12:30 PM: mom@tribalfusion[2].txt (ID = 3589)
12:30 PM: Found Spy Cookie: winantiviruspro cookie
12:30 PM: [email protected][2].txt (ID = 3690)
12:30 PM: Found Spy Cookie: adserver cookie
12:30 PM: [email protected][1].txt (ID = 2142)
12:30 PM: Found Spy Cookie: zedo cookie
12:30 PM: mom@zedo[1].txt (ID = 3762)
12:30 PM: Cookie Sweep Complete, Elapsed Time: 00:00:06
12:30 PM: Starting File Sweep
12:33 PM: Found Adware: surfsidekick
12:33 PM: ss1001.exe (ID = 216718)
1:59 PM: Found Adware: dollarrevenue
1:59 PM: dra.exe (ID = 216564)
2:13 PM: File Sweep Complete, Elapsed Time: 01:43:03
2:14 PM: Full Sweep has completed. Elapsed time 01:39:56
2:14 PM: Traces Found: 24
2:41 PM: Removal process initiated
2:41 PM: Quarantining All Traces: surfsidekick
2:41 PM: Quarantining All Traces: dollarrevenue
2:41 PM: Quarantining All Traces: 2o7.net cookie
2:41 PM: Quarantining All Traces: 66.246.209 cookie
2:41 PM: Quarantining All Traces: about cookie
2:41 PM: Quarantining All Traces: adserver cookie
2:41 PM: Quarantining All Traces: apmebf cookie
2:41 PM: Quarantining All Traces: ask cookie
2:41 PM: Quarantining All Traces: atwola cookie
2:41 PM: Quarantining All Traces: bravenet cookie
2:41 PM: Quarantining All Traces: centrport net cookie
2:41 PM: Quarantining All Traces: falkag cookie
2:41 PM: Quarantining All Traces: ic-live cookie
2:41 PM: Quarantining All Traces: monstermarketplace cookie
2:41 PM: Quarantining All Traces: nextag cookie
2:41 PM: Quarantining All Traces: partypoker cookie
2:41 PM: Quarantining All Traces: reliablestats cookie
2:41 PM: Quarantining All Traces: specificclick.com cookie
2:41 PM: Quarantining All Traces: statcounter cookie
2:41 PM: Quarantining All Traces: toplist cookie
2:41 PM: Quarantining All Traces: tribalfusion cookie
2:41 PM: Quarantining All Traces: winantiviruspro cookie
2:41 PM: Quarantining All Traces: zedo cookie
2:42 PM: Removal process completed. Elapsed time 00:00:47
2:44 PM: IE Tracking Cookies Shield: Removed 2o7.net cookie
2:44 PM: IE Tracking Cookies Shield: Removed zedo cookie
3:06 PM: IE Tracking Cookies Shield: Removed centrport net cookie
3:18 PM: IE Tracking Cookies Shield: Removed reliablestats cookie
3:18 PM: IE Tracking Cookies Shield: Removed toplist cookie
3:20 PM: IE Tracking Cookies Shield: Removed tribalfusion cookie
3:21 PM: IE Tracking Cookies Shield: Removed tribalfusion cookie
3:21 PM: IE Tracking Cookies Shield: Removed tribalfusion cookie
3:23 PM: IE Tracking Cookies Shield: Removed tribalfusion cookie
5:09 PM: Warning: Failed to get log from SSI driver. Insufficient system resources exist to complete the requested service
5:18 PM: IE Tracking Cookies Shield: Removed overture cookie
5:18 PM: IE Tracking Cookies Shield: Removed overture cookie
7:05 PM: Warning: Failed to get log from SSI driver. Insufficient system resources exist to complete the requested service
10:21 PM: IE Tracking Cookies Shield: Removed specificclick.com cookie
11:29 PM: IE Tracking Cookies Shield: Removed tribalfusion cookie
11:29 PM: IE Tracking Cookies Shield: Removed adserver cookie
11:30 PM: IE Tracking Cookies Shield: Removed adserver cookie
11:31 PM: IE Tracking Cookies Shield: Removed zedo cookie
12:10 AM: IE Tracking Cookies Shield: Removed tribalfusion cookie
12:10 AM: IE Tracking Cookies Shield: Removed tribalfusion cookie
12:10 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:13 AM: IE Tracking Cookies Shield: Removed tribalfusion cookie
12:13 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:13 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:13 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:16 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:16 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:19 AM: IE Tracking Cookies Shield: Removed tribalfusion cookie
12:19 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:19 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:19 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:19 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:19 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:23 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:23 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:23 AM: IE Tracking Cookies Shield: Removed tribalfusion cookie
12:26 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:26 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:26 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:28 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:28 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:35 AM: IE Tracking Cookies Shield: Removed tribalfusion cookie
12:35 AM: IE Tracking Cookies Shield: Removed adserver cookie
12:38 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:38 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:39 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:40 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:41 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:44 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:44 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:45 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:46 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:46 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:47 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:47 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:50 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:50 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:50 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:51 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
12:53 AM: Warning: Failed to get log from SSI driver. Insufficient system resources exist to complete the requested service
12:59 AM: IE Tracking Cookies Shield: Removed 2o7.net cookie
1:18 AM: IE Tracking Cookies Shield: Removed reliablestats cookie
1:18 AM: IE Tracking Cookies Shield: Removed reliablestats cookie
1:39 AM: IE Tracking Cookies Shield: Removed reliablestats cookie
1:50 AM: IE Tracking Cookies Shield: Removed centrport net cookie
1:56 AM: Warning: Failed to check file "C:\DOCUME~1\MOM~1.MAI\LOCALS~1\TEMP\SET57.TMP". Stream read error
********
12:08 PM: | Start of Session, Wednesday, January 04, 2006 |
12:08 PM: Spy Sweeper started
12:20 PM: Updating spyware definitions
12:20 PM: Your definitions are up to date.
12:20 PM: Updating spyware definitions
12:20 PM: Your definitions are up to date.
12:21 PM: Updating spyware definitions
12:21 PM: Your definitions are up to date.
12:21 PM: | End of Session, Wednesday, January 04, 2006 |

And finally an Ewido AntiMalware log:

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:33:34 PM, 1/7/2006
+ Report-Checksum: CE54D400

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-1844237615-1677128483-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\mom@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\mom@adbrite[1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\mom@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\mom@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\mom@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\mom@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\mom@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Mom.MAINHOME\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Yazzle Sudoku\Sudoku.exe -> Dropper.VB.kk : Cleaned with backup


::Report End

My lastest Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 6:45:48 PM, on 1/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\MemoryBoost\MemoryBoost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\1127796192\ee\AOLSoftware.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\HijackHJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://joemac.net/Su...CameraPage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.safehavenpc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://joemac.net/Su...CameraPage.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\System32\BhoCitUS.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127796192\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ShopSafe] C:\Program Files\ShopSafe\ShopSafe.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.safehavenpc.com
O16 - DPF: Blackjack by pogo - http://game1.pogo.co...k-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.co...t-ob-assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.co...o-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.co...r-ob-assets.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.co...m-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.co...s-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.co...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.co...g-ob-assets.cab
O16 - DPF: {04B6182D-FB75-11D4-90D2-0000B4948C7C} (cre8tiv 3Di ATL Control (Internet)) - http://www.quick-ste...cre8tiv3dix.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://64.143.186.13...Q/bin/WebIQ.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {78960E0E-0B0C-11D4-8997-00104BD12D94} (AV Class) - http://www1.pcpitsto...virus/PCPAV.CAB
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - https://www.lifescan...tdms/isetup.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://12.149.234.19...sCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://64.154.241.30/wg_webeye.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {DD3641E5-A9CF-11D1-9AA1-444553540000} (Surround Video V3.0 Control Object) - http://216.157.26.3/svideo3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.co...aploader_v7.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup152.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?315
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Your time is greatly appreciated.
Dawn

Edited by Dlsnj, 07 January 2006 - 06:58 PM.

[Flrman1]

When you attempt to do the online scans you have to allow the ActiveX control to install. Go back to the Kasperky scan. After you click to start it, you have to look for the yellow information bar right below the Address bar in IE. Right click there and choose "Install ActiveX".

You have to do the scans with IE. They will not work with another browser.

* Run Kaspersky online virus scan here.

When given the option, choose the "Extended database" for the scan.

When the scan is finished, Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan

[Dlsnj]

Hi frlman1,
You dont understand, I did and do click on install activex and i answered yes when it asked me. It will not install.
Dawn

[Dlsnj]

Hi Flrman1,
I went over to pcpitstop and they let you test your ActiveX. Below are the results. When a popup came up and asked if I want to install ActiveX, I clicked yes, but it still does not work. I have gone into IE security settings and tried to change them to allow ActiveX but it does not work. Is it possible a virus changed the settings in my registry. Also I turned off all Realtime spyware and virus protection and my firewall and tried again but nothing.
Any help or suggestions is appreciated.
Dawn



Test Your ActiveX Installation
This page tests whether you have your browser properly configured to download, authenticate, install, and display ActiveX controls, and manipulate them with JavaScript.

When prompted with a certificate, please accept it. The current date and time should appear below:ActiveX is not supported

If you see the current date and time displayed above, congratulations! ActiveX and scripting are working properly. (If you see a date and time but it isn't the right time, your PC's clock is set wrong! Double-click the time in the system tray to correct it.)

If, instead of the time, you see a box with a small x in it, either:

ActiveX is not supported: Use Internet Explorer to view the site.
ActiveX is not enabled: See these instructions to enable ActiveX.
You didn't accept the certificate: You must click Yes on the security certificate to load the ActiveX control.
You are using an ad blocker, popup stopper, or firewall that blocks ActiveX: Disable these utilities to see if they are the cause.
Your system has spyware installed or a virus that interferes with ActiveX: Scan for spyware with a product like Pest Patrol or Panda, available in our store.
If you see a blank space, ActiveX is probably working properly, but not scripting. Check your security settings for scripting.

If you see the message ActiveX is not supported, then your browser doesn't recognize ActiveX at all. Netscape, Opera, or other browsers usually do not support ActiveX.

When you think you've corrected any problem you are having with this, simply refresh the page [press F5] to try again.

Edited by Dlsnj, 08 January 2006 - 09:01 AM.

[Flrman1]

Hi frlman1,
You dont understand, I did and do click on install activex and i answered yes when it asked me. It will not install.
Dawn

Are you doing this from the yellow information bar below the IE addressbar, not the big dialogue box that pops up? They are two very distinct and different things.

[Dlsnj]

Yes I am doing it from the yellow bar when it pops up, and then the square pop-up too.

[Flrman1]

Tell me exactly what settings you have for ActiveX in Internet Options > Security tab > Internet Zone > Custom Level.

Edited by Flrman1, 08 January 2006 - 01:31 PM.

[Dlsnj]

I have tried using the default which is medium and in the custom I have either enabled or prompted everything and it still wont work. ALso I just ran trojanhunter and it found this:
Trojanclicker.VB.110 and it cleaned it

Renamed file C:\WINDOWS\newfrn.exe to C:\WINDOWS\newfrn.exe.tcf
Trojan cleaning finished.

Thanks,
Dawn

Edited by Dlsnj, 08 January 2006 - 02:19 PM.

[Flrman1]

Try putting the url to the online scans in your trusted zone.

Maybe your AOL security software is blocking the ActveX.

[Dlsnj]

Hi Flrman1,
I finally figuired it out, It was left over files from norton Internet Security that did not delete through the add/remove feature. The Symantec site had fixes. Finally activeX is working. I am gonna run the Kaspersky scan and call it a night. I will post a log in the morning before work. Thanks for all your help. My computer is so much faster loading and runs faster. Talk to you tomorrow.
Thanks again,
Dawn

[Flrman1]