[CanadianWinter]

I am so sorry if you have to sort through all that. I didn't think it would be so much. Sorry.

[Advertisements]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {331C41B0-C2C2-463E-A0CE-3808E45BCBCA} - blank (file missing)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

We need to make sure all hidden files are showing so please:

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide file extensions for known types option.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Click Start -> Run
Paste in this command and press enter:

regsvr32 /u occache.dll

Step #3

Reboot Your System in Safe Mode:

• Restart the computer.
• As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
• Use the arrow keys to select the Safe Mode menu item.
• Press the Enter key.

Step #4

Find and delete these files and folders (if they are still there):
c:\windows\system32\f3PSSavr.scr
c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
c:\windows\GatorFDDLI.log


Reboot your computer normally.

Step #5

Go to Start -> Run
Paste in this command:

regsvr32 occache.dll

Step #6

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the reg file must look afterwards:

Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Step #7

Please open your email client (Outlook).
Go to your Deleted Items and delete following mails:

21 May 2003 12:57 from [email protected]:Your details/application.pif
21 May 2003 12:45 from [email protected]:Re: My details/ref-394755.pif

Then reboot your computer.

Step #8

Download CCleaner and install it.

Start Ccleaner. click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right).

Step #9

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

• Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check "Turn off System Restore".
  • Click Apply, and then click OK.
• Reboot your computer.
  
  
• Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check "Turn off System Restore".
  • Click Apply, and then click OK.

Then reboot your system.

Step #10

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

[didom]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {331C41B0-C2C2-463E-A0CE-3808E45BCBCA} - blank (file missing)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

We need to make sure all hidden files are showing so please:

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide file extensions for known types option.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Click Start -> Run
Paste in this command and press enter:

regsvr32 /u occache.dll

Step #3

Reboot Your System in Safe Mode:

• Restart the computer.
• As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
• Use the arrow keys to select the Safe Mode menu item.
• Press the Enter key.

Step #4

Find and delete these files and folders (if they are still there):
c:\windows\system32\f3PSSavr.scr
c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
c:\windows\GatorFDDLI.log


Reboot your computer normally.

Step #5

Go to Start -> Run
Paste in this command:

regsvr32 occache.dll

Step #6

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-hkey_classes_root\clsid\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the reg file must look afterwards:

Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Step #7

Please open your email client (Outlook).
Go to your Deleted Items and delete following mails:

21 May 2003 12:57 from [email protected]:Your details/application.pif
21 May 2003 12:45 from [email protected]:Re: My details/ref-394755.pif

Then reboot your computer.

Step #8

Download CCleaner and install it.

Start Ccleaner. click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right).

Step #9

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

• Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check "Turn off System Restore".
  • Click Apply, and then click OK.
• Reboot your computer.
  
  
• Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check "Turn off System Restore".
  • Click Apply, and then click OK.

Then reboot your system.

Step #10

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

[CanadianWinter]

Ok, for the HJT, there is no R3. Everything else is there though.

[didom]

Please fix the rest

[CanadianWinter]

It shall be done.

[CanadianWinter]

Alright dude, I did all the steps up until step 7. For step 7 I will wait for my dad to come home because on my file I do not have those emails you are speaking of, but my dad probably will, because he is the one who used to use outlook.

[CanadianWinter]

Alright, those two emails you posted neither of us had. I won't continue following the steps until you say it's ok. (I don't wanna mess anything up).

[didom]

See if you can find these files then:

C:\Documents and Settings\Darlene\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/21 May 2003 12:57 from [email protected]:Your details/application.pif
C:\Documents and Settings\Darlene\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/21 May 2003 12:45 from [email protected]:Re: My details/ref-394755.pif

If so, delete them.

Then continue.

[CanadianWinter]

Alright I found them, thanks.

[CanadianWinter]

Um dude, I'm looking at this CCleaner log and it kinda deleted my documents which I needed for school, is there any way to get them back?

[CanadianWinter]

Oh nevermind, they aren't deleted. Phew. I noticed that in the CClean report, the documents ended with LNK. Can you please explain what LNK is? I was just curious, that's all. I will complete the rest of the steps you gave me.

[CanadianWinter]

Ok here is the Panda Activescan


Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_local_machine\software\microsoft\office\word\addins\MyWebSearch.OutlookAddin
Spyware:spyware/bridge Not disinfected Windows Registry
Adware:adware/azesearch Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Darlene\Cookies\darlene@2o7[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Darlene\Cookies\darlene@atdmt[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Darlene\Cookies\darlene@azjmp[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Darlene\Cookies\darlene@did-it[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Darlene\Cookies\darlene@doubleclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Darlene\Cookies\darlene@mediaplex[1].txt
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Darlene\Local Settings\Temporary Internet Files\Content.IE5\C7BFIW5L\channels_02[1].gif
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Darlene\Local Settings\Temporary Internet Files\Content.IE5\ZNP771OW\mywebsearch_default_hplogo2[1].gif
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Eric\Cookies\eric@2o7[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Eric\Cookies\eric@doubleclick[1].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Eric\Desktop\HJT\backups\backup-20070221-214037-553.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Documents and Settings\Eric\Desktop\HJT\backups\backup-20070221-214037-845.dll
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Eric\Desktop\HJT\backups\backup-20070222-175900-823-PowerReg Scheduler.exe
Potentially unwanted tool:Application/PocketKillBox Not disinfected C:\Documents and Settings\Eric\Desktop\KillBox.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jake\Cookies\jake@2o7[2].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][3].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Jake\Cookies\jake@888[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jake\Cookies\jake@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jake\Cookies\jake@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jake\Cookies\jake@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jake\Cookies\jake@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Jake\Cookies\jake@atwola[1].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Jake\Cookies\jake@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jake\Cookies\jake@belnk[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jake\Cookies\jake@casalemedia[2].txt
Spyware:Cookie/Centralmedia Not disinfected C:\Documents and Settings\Jake\Cookies\jake@centralmedia[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Jake\Cookies\jake@cgi-bin[3].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Jake\Cookies\jake@cgi-bin[4].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jake\Cookies\jake@com[1].txt
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Jake\Cookies\jake@delfinproject[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Jake\Cookies\jake@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jake\Cookies\jake@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jake\Cookies\jake@fastclick[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Jake\Cookies\jake@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Jake\Cookies\jake@hitbox[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Jake\Cookies\jake@kount[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jake\Cookies\jake@mediaplex[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Jake\Cookies\jake@rightmedia[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Jake\Cookies\jake@serving-sys[2].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected C:\Documents and Settings\Jake\Cookies\jake@smni[1].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Jake\Cookies\jake@targetnet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jake\Cookies\jake@tribalfusion[1].txt
Spyware:Cookie/seeqA Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Jake\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jake\Cookies\jake@xiti[1].txt
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Jake\Local Settings\Temporary Internet Files\Content.IE5\GH6F4X2J\channels_02[1].gif
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Kirsten\Cookies\kirsten@atwola[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Kirsten\Cookies\kirsten@cgi-bin[1].txt
Spyware:Cookie/DelfinMedia Not disinfected C:\Documents and Settings\Kirsten\Cookies\kirsten@delfinproject[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Kirsten\Cookies\[email protected][2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Kirsten\Cookies\kirsten@doubleclick[1].txt
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Kirsten\Cookies\kirsten@go[1].txt
Spyware:Cookie/SpywareStormer Not disinfected C:\Documents and Settings\Kirsten\Cookies\kirsten@spywarestormer[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Kirsten\Cookies\kirsten@winantivirus[1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Kirsten\Cookies\[email protected][1].txt
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Kirsten\Local Settings\Temporary Internet Files\Content.IE5\9V73P54E\mywebsearch_default_hplogo2[1].gif
Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Kirsten\Local Settings\Temporary Internet Files\Content.IE5\BVV8LDER\channels_02[1].gif
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@888[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][2].txt
Spyware:Cookie/Gorillanation Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@belnk[2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][2].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@ccbill[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@cdfreaks[2].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@cgi-bin[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@cgi-bin[3].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@com[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@drivecleaner[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@gostats[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@hitbox[2].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@kount[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@rn11[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][2].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@systemdoctor[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@target[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@tribalfusion[2].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@tucows[2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@winantivirus[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/Systemdoctor Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Rodger\Cookies\[email protected][1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Rodger\Cookies\rodger@xiti[1].txt
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2C.tmp\MARSHAL2.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3CJPEG.DLL
Potentially unwanted tool:Application/FunWeb Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3DTACTL.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3HISTSW.DLL
Potentially unwanted tool:Application/FunWeb Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3HTMLMU.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3HTTPCT.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3POPSWT.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3PSSAVR.SCR
Potentially unwanted tool:Application/FunWeb Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3REPROX.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3RESTUB.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3SCHMON.EXE
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3SCRCTR.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\F3WPHOOK.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\M3FFXTBR.JAR[contents.rdf]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\M3FFXTBR.JAR[menu.xul]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\M3FFXTBR.JAR[toolbarembed.html]
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\M3HTML.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\M3IDLE.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\M3OUTLCN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\M3PLUGIN.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\M3SKIN.DLL
Adware:Adware/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\M3SKPLAY.EXE
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\MWSOEMON.EXE
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\MWSOEPLG.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\MWSOESTB.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\3.bin\NPMYWEBS.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\Game\CHECKERS.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\Game\CHESS.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\bar\Game\REVERSI.F3S
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\SrchAstt\1.bin\UNINSTAL.INF
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\RECYCLER\S-1-5-21-3866618421-3375310717-1531342322-500\Dc4\SrchAstt\2.bin\MWSSRCAS.DLL

[CanadianWinter]

And the HijackThis report.

Logfile of HijackThis v1.99.1
Scan saved at 2:42:36 PM, on 3/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\PROGRA~1\Yahoo!\YOP\secstat.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\program files\valve\steam\steam.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Eric\Desktop\HJT\Analyse.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.client.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.client...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...r/fix_homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = NEWSERVER:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {331C41B0-C2C2-463E-A0CE-3808E45BCBCA} - blank (file missing)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Yahoo!\NAV\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ResChangerXP] C:\Program Files\ResChanger XP\ResChangerXP.exe
O4 - HKLM\..\Run: [mswspl] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P30 "EPSON Stylus Photo R340 Series" /O6 "USB002" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: Neverwinter Nights_ Platinum Edition Registration.lnk = C:\NeverwinterNights\NWN\ereg\ATR1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Spam Sleuth.lnk = G:\Program Files\Blue Squirrel\Spam Sleuth\SpamSleuth.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\nphcd32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.mdg.ca
O16 - DPF: Yahoo! Bridge - http://download.game...nts/y/bt1_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qps.peel.edu.on.ca/qp2.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.3.0.97.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1172001848234
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {94B6A838-7EA3-4C3C-B768-D260DDD685B6} (GetFQDN.ctlTrace) - http://www.rogershel...ork/getfqdn.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...1.10/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...0/Installer.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.popcap.co...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...410/mcfscan.cab
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Maya 6 PLE Documentation Server (mple6docserver) - Unknown owner - C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya 6.0 Personal Learning Edition\docs\Wrapper.conf (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

[didom]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

We need to make sure all hidden files are showing so please:

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide file extensions for known types option.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Click Start -> Run
Paste in this command and press enter:

regsvr32 /u occache.dll

Step #3

Reboot Your System in Safe Mode:

• Restart the computer.
• As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
• Use the arrow keys to select the Safe Mode menu item.
• Press the Enter key.

Step #4

Find and delete these files and folders (if they are still there):
C:\Documents and Settings\Jake\Cookies <= content of this folder
C:\RECYCLER <= content of this folder
c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf <= this file


Reboot your computer normally.

Step #5

Go to Start -> Run
Paste in this command:

regsvr32 occache.dll

Step #6

Please run Notepad and paste the following text into a new file:

REGEDIT4

[-hkey_local_machine\software\microsoft\office\word\addins\MyWebSearch.OutlookAddin]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
This is how the reg file must look afterwards:

Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Step #7

Make a new ComboScan log and post it along with a HijackThis log.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

[CanadianWinter]

Just checking, when you say "content of this folder" does that mean absolutly everything in the folder? Like can I just delete the whole folder?