Folks,

I have found that I have the dreaded "w?crtupd.exe" file reappearing on my system. Based on my research, it's related to the WWW Coolsearch malware.

I've run Adaware, CWS shredder and also Hijack this. I'm attaching the latest hijack this log to this email.

I'm running an XP home system. Any guidance or assistance that can be given will be greatly appreciated.

Best Wishes,

ASM

Logfile of HijackThis v1.99.1
Scan saved at 2:17:28 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\MSTMON_Q.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\FSScrCtl.exe
L:\Downloads\Utilities\Hi Jack This Spyware Utility\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=us-auto.proxy.att.com:8001
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.net/"); (C:\Documents and Settings\ASM Consulting\Application Data\Mozilla\Profiles\default\idfkpg8w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\ASM Consulting\Application Data\Mozilla\Profiles\default\idfkpg8w.slt\prefs.js)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EAF3960F-5DE9-0467-C0DB-533021182594} - C:\WINDOWS\system32\uzgx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\system32\MSTMON_Q.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/125cf8bc2679a21ef319/netzip/RdxIE2.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OnVPN - Unknown owner - C:\PROGRA~1\AttMgmt\VPN\Service\Srvany.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hi asmconsult

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Please download SpyBot V1.4 http://www.majorgeeks.com/download2471.html Update the program then run it.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Use windows add remove programs uninstall the following:
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {EAF3960F-5DE9-0467-C0DB-533021182594} - C:\WINDOWS\system32\uzgx.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...up1.0.0.8-2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/125cf8bc2679a21ef319/netzip/RdxIE2.cab
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.stevengould.org/cleanup/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingcomputer.com/forums/tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoftware.com/activescan/co...n_principal.htm
Please post the logs From Panda, Ewido and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc

Thanks!

I've run Ad Aware a few times and it finds the crt?upd.exe and removes it but it comes back every time I use IE.

I'll follow the rest of our instructions and keep you apprised.

Thanks for all your help!

ASM

Hi asmconsult

Thats fine will be here for your full reply

Kc

Kc,

I think I'm finally spyware/malware free. I ran everything based on your instructions and below I'm including the log files for Ewido and HijackThis.

I'll run the Panda online scan right after I post this and get the log from that also for your review.

Words cannot express my gratitude for your kindness and guidance through out this ordeal. It had gotten to the point where I couldn't even use IE anymore.

Anyway, logs are below.. Thanks again.

ASM.

Logfile of HijackThis v1.99.1
Scan saved at 7:27:14 PM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\MSTMON_Q.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
L:\Downloads\Utilities\Hi Jack This Spyware Utility\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=us-auto.proxy.att.com:8001
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.net/"); (C:\Documents and Settings\ASM Consulting\Application Data\Mozilla\Profiles\default\idfkpg8w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\ASM Consulting\Application Data\Mozilla\Profiles\default\idfkpg8w.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\system32\MSTMON_Q.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OnVPN - Unknown owner - C:\PROGRA~1\AttMgmt\VPN\Service\Srvany.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ewido Log is below:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:15:14 PM, 6/27/2005
+ Report-Checksum: E155EA67

+ Date of database: 6/27/2005
+ Version of scan engine: v3.0

+ Duration: 804 min
+ Scanned Files: 348350
+ Speed: 7.21 Files/Second
+ Infected files: 36
+ Removed files: 17
+ Files put in quarantine: 17
+ Files that could not be opened: 0
+ Files that could not be cleaned: 19

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
M:\
C:\
D:\
M:\

+ Scan result:
C:\Program Files\MSN Messenger\riched20.dll -> Spyware.Wesbar -> Cleaned with backup
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\SbCI9259.BUD/WINDOWS/Downloaded Program Files/popcaploader.dll -> Spyware.Hijacker.Generic -> Error during cleaning
C:\RECYCLER\NPROTECT\00328234.DLL -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\RECYCLER\NPROTECT\00329926.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330043.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330044.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330045.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330046.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330047.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330048.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330049.EXE -> Spyware.MyWebSearch -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330052.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330053.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330054.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330055.EXE -> Spyware.Wesbar -> Cleaned with backup
C:\RECYCLER\NPROTECT\00330057.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\WINDOWS\system32\uzgx.dll -> Spyware.PurityScan.ak -> Cleaned with backup
D:\Program Files\SaveNow\Uninst.exe -> Spyware.SaveNow.au -> Cleaned with backup
C:\Program Files\MSN Messenger\riched20.dll -> Spyware.Wesbar -> Error during cleaning
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\SbCI9259.BUD/WINDOWS/Downloaded Program Files/popcaploader.dll -> Spyware.Hijacker.Generic -> Error during cleaning
C:\RECYCLER\NPROTECT\00328234.DLL -> Spyware.Hijacker.Generic -> Error during cleaning
C:\RECYCLER\NPROTECT\00329926.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\RECYCLER\NPROTECT\00330043.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\RECYCLER\NPROTECT\00330044.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\RECYCLER\NPROTECT\00330045.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\RECYCLER\NPROTECT\00330046.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\RECYCLER\NPROTECT\00330047.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\RECYCLER\NPROTECT\00330048.DLL -> Spyware.Wesbar -> Error during cleaning
C:\RECYCLER\NPROTECT\00330049.EXE -> Spyware.MyWebSearch -> Error during cleaning
C:\RECYCLER\NPROTECT\00330052.DLL -> Spyware.Wesbar -> Error during cleaning
C:\RECYCLER\NPROTECT\00330053.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\RECYCLER\NPROTECT\00330054.DLL -> Spyware.Wesbar -> Error during cleaning
C:\RECYCLER\NPROTECT\00330055.EXE -> Spyware.Wesbar -> Error during cleaning
C:\RECYCLER\NPROTECT\00330057.DLL -> Spyware.MyWebSearch -> Error during cleaning
C:\WINDOWS\system32\uzgx.dll -> Spyware.PurityScan.ak -> Error during cleaning
D:\Program Files\SaveNow\Uninst.exe -> Spyware.SaveNow.au -> Error during cleaning


::Report End

Hi asm

Let do the following:

Empty your recycle bin.

Clear out the back up file in Norton

Use windows add remove uninstall the following, if no uninstall the delete the whole folder:
D:\Program Files\SaveNow\Uninst.exe

Will need to see the panda log>

Kc

Kc,

Below is the Panda Log.

I cleared out my Recycle bins. I ran Panda Last night. Everything that's listed is now gone. I deleted it manually.

I also ran SpyBot again. Unbelievably, it found more stuff, now in my firefox browser (now my primary browser). I re-ran cleanup and rebooted.

Anything else I should do?

ASM


Incident Status Location

Adware:Adware/PopCapLoader No disinfected C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\SbCI9259.BUD[popcaploader.dll]
Adware:Adware/PopCapLoader No disinfected C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\SbCI9259.BUD[popcaploader.inf]
Adware:Adware/CWS.Oslogo No disinfected C:\WINDOWS\wplog.txt
Possible Virus. No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Documents and Settings\ASM Consulting\Local Settings\Temp\TizzleTalk.exe
Adware:Adware/BrilliantDigitalNo disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\Microsoft AntiSpyware\Quarantine\2BE7AC06-67C0-4E7D-93D3-13E1F0\50656799-CC9A-48A0-A0C9-840368
Adware:Adware/BrilliantDigitalNo disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\Microsoft AntiSpyware\Quarantine\2BE7AC06-67C0-4E7D-93D3-13E1F0\A4F3A186-CD1E-4D01-A22E-13D1A3
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MSN Messenger\riched20.dll
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
Adware:Adware/FunWeb No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
Adware:Adware/MyWebSearch No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
Adware:Adware/MyWebSearch No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
Adware:Adware/MyWebSearch No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
Adware:Adware/MyWebSearch No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
Adware:Adware/MyWebSearch No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
Adware:Adware/MyWebSearch No disinfected L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

Hi asmconsult

I do need to see a new HJT.log

C:\WINDOWS\wplog.txt<--Delete this file

All the following items are backups of malware Delete them all from your system
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\SbCI9259.BUD[popcaploader.dll]
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Backup\SbCI9259.BUD[popcaploader.inf]
L:\Retrospect Duplicates\Backup of Local Disk ©\Documents and Settings\ASM Consulting\Local Settings\Temp\TizzleTalk.exe
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\Microsoft AntiSpyware\Quarantine\2BE7AC06-67C0-4E7D-93D3-13E1F0\50656799-CC9A-48A0-A0C9-840368
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\Microsoft AntiSpyware\Quarantine\2BE7AC06-67C0-4E7D-93D3-13E1F0\A4F3A186-CD1E-4D01-A22E-13D1A3
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MSN Messenger\riched20.dll
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
L:\Retrospect Duplicates\Backup of Local Disk ©\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

Kc

Hi Kc,

I've gone in and deleted all the files manually that you indicated in your email. I also deleted the "*.txt" file in the windows directory

The "L" drive is my external Maxtor Drive.

I've deleted all the questionable files/directories on the "L" drive also.

Below is a current HijackThis Log:

Thanks!

anything else?

ASM

Logfile of HijackThis v1.99.1
Scan saved at 10:58:58 AM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\WINDOWS\system32\MSTMON_Q.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\WINDOWS\FSScrCtl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
L:\Downloads\Utilities\Hi Jack This Spyware Utility\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=us-auto.proxy.att.com:8001
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.comcast.net/"); (C:\Documents and Settings\ASM Consulting\Application Data\Mozilla\Profiles\default\idfkpg8w.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\ASM Consulting\Application Data\Mozilla\Profiles\default\idfkpg8w.slt\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-big.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-big.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1350WStatusDisplay] C:\WINDOWS\system32\MSTMON_Q.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://c:\windows\GoogleToolbar_en_2.0.95-big.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\nppdf32.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OnVPN - Unknown owner - C:\PROGRA~1\AttMgmt\VPN\Service\Srvany.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hi asmconsult

Your HJT.log is clean

It would do no harm to run the fix again just to make sure it is all gone.
How is the system running now, have you any problems .

Kc

Hi Kc,

System seems to be running good. The slow down's are gone.. I'll run the fix tonite again in "Safe" mode and see if anything new comes up.

I'll update you if anything else shows up..

Thanks for everything!

ASM

Hi asmconsult

Thank for that remember run the fix but don't run HJT.

See you later

Kc

Kc,

Just to make sure we are both on the same page, when you say, run the fix, you mean:

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.


correct??

ASM

Hi asmconsult

Yes it's post 2 wow that was some junk was it not.

Kc

Kc,

What I was most surprised was the number of malware and spyware that turned up. I think because the machine question is used by my kids, they downloaded a bunch of junk from the web and the malware got installed.

ASM