HJT Log: Winfixer and other problems (RESOLVED)

  1. 02-02-2006  #1
    Keelhaul
    Keelhaul is offline Newbie

    HJT Log: Winfixer and other problems (RESOLVED)

    Hi-

    Having some problems with Winfixer and other random pop-ups. I'm not quite sure how this happened as I scan my comp w/ Spybot S&D, Ad-Aware, and AVG pretty often but oh well...

    Google toolbar is also in my program files but I never installed it and it won't uninstall.

    Please help? Here's the HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:46:24 PM, on 2/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\RAMASST.exe
    c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

    http://www.toshiba.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

    http://toshibadirect.com/
    N2 - Netscape 6: user_pref("browser.startup.homepage",

    "http://www.libraries.rutgers.edu"); (C:\Documents and

    Settings\Dana\Application

    Data\Mozilla\Profiles\default\qho4iejj.slt\prefs.j s)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%

    5CProgram%20Files%5CNetscape%5CNetscape%206%5Csear chplugins%5CSBWeb_01.src");

    (C:\Documents and Settings\Dana\Application

    Data\Mozilla\Profiles\default\qho4iejj.slt\prefs.j s)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

    C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} -

    C:\WINDOWS\system32\fccde.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-

    0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1

    \SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

    C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

    files\google\googletoolbar2.dll (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97

    Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and

    Launch\PadExe.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming

    Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program

    Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program

    Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP

    Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32

    \spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital

    Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -

    atboottime
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

    Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk =

    C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

    Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O8 - Extra context menu item: &Google Search - res://c:\program

    files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program

    files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program

    files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1

    \MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program

    files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program

    files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

    00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

    C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

    C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

    C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

    00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet

    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader

    Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

    (MsnMessengerSetupDownloadControl Class) -

    http://messenger.msn.com/download/Ms...Downloader.cab
    O20 - Winlogon Notify: fccde - C:\WINDOWS\system32\fccde.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program

    Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. -

    C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

    Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32

    \IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner -

    C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation

    - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies,

    Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Swupdtmr - Unknown owner -

    c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
    Last edited by Keelhaul; 02-02-2006 at 08:57 PM. Reason: typo fix

  3. 02-02-2006  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Download VirtumundoBeGone from:
    http://secured2k.home.comcast.net/to...undoBeGone.exe

    * Save it to your Desktop
    * Close all running programs (including your Internet Browser)
    * Double-click VirtumundoBeGone.exe on the desktop
    * Follow the directions as indicated

    Please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

    Just reboot if your system "jams"
    *********************

    Report back the results determined:

    VirtumundoBeGone generated a "log" file of its own, which it should have placed on your Desktop... please REPLY to this topic, and copy/paste the VirtumundoBeGone log back here, along with your latest HJT log.
  4. 03-02-2006  #3
    Keelhaul
    Keelhaul is offline Newbie
    Here's the VBG log:


    [02/02/2006, 21:25:56] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Dana\Desktop\VirtumundoBeGone.exe" )
    [02/02/2006, 21:26:01] - Detected System Information:
    [02/02/2006, 21:26:01] - Windows Version: 5.1.2600, Service Pack 2
    [02/02/2006, 21:26:01] - Current Username: Dana (Admin)
    [02/02/2006, 21:26:01] - Windows is in NORMAL mode.
    [02/02/2006, 21:26:01] - Searching for Browser Helper Objects:
    [02/02/2006, 21:26:01] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [02/02/2006, 21:26:01] - BHO 2: {2353FCBC-012D-487B-8BF3-865C0929FBEB} (ATLDistrib Object)
    [02/02/2006, 21:26:01] - ALERT: Found ATLDistrib Object!
    [02/02/2006, 21:26:01] - BHO 3: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
    [02/02/2006, 21:26:01] - BHO 4: {53707962-6F74-2D53-2644-206D7942484F} ()
    [02/02/2006, 21:26:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/02/2006, 21:26:01] - Checking for HKLM\...\Winlogon\Notify\SDHelper
    [02/02/2006, 21:26:01] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
    [02/02/2006, 21:26:01] - BHO 5: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
    [02/02/2006, 21:26:01] - Finished Searching Browser Helper Objects
    [02/02/2006, 21:26:01] - *** Detected ATLDistrib Object
    [02/02/2006, 21:26:01] - Trying to remove ATLDistrib Object...
    [02/02/2006, 21:26:02] - Terminating Process: IEXPLORE.EXE
    [02/02/2006, 21:26:03] - Terminating Process: RUNDLL32.EXE
    [02/02/2006, 21:26:03] - Disabling Automatic Shell Restart
    [02/02/2006, 21:26:03] - Terminating Process: EXPLORER.EXE
    [02/02/2006, 21:26:03] - Suspending the NT Session Manager System Service
    [02/02/2006, 21:26:03] - Terminating Windows NT Logon/Logoff Manager
    [02/02/2006, 21:26:03] - Re-enabling Automatic Shell Restart
    [02/02/2006, 21:26:03] - File to disable: C:\WINDOWS\system32\fccde.dll
    [02/02/2006, 21:26:03] - Renaming C:\WINDOWS\system32\fccde.dll -> C:\WINDOWS\system32\fccde.dll.vir
    [02/02/2006, 21:26:04] - File successfully renamed!
    [02/02/2006, 21:26:04] - Removing HKLM\...\Browser Helper Objects\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
    [02/02/2006, 21:26:04] - Removing HKCR\CLSID\{2353FCBC-012D-487B-8BF3-865C0929FBEB}
    [02/02/2006, 21:26:04] - Adding Kill Bit for ActiveX for GUID: {2353FCBC-012D-487B-8BF3-865C0929FBEB}
    [02/02/2006, 21:26:04] - Deleting ATLEvents/MSEvents Registry entries
    [02/02/2006, 21:26:04] - Removing HKLM\...\Winlogon\Notify\fccde
    [02/02/2006, 21:26:04] - Searching for Browser Helper Objects:
    [02/02/2006, 21:26:04] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [02/02/2006, 21:26:04] - BHO 2: {4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuardDLBLOCK.CBrowserHelper)
    [02/02/2006, 21:26:04] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} ()
    [02/02/2006, 21:26:04] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [02/02/2006, 21:26:04] - Checking for HKLM\...\Winlogon\Notify\SDHelper
    [02/02/2006, 21:26:04] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
    [02/02/2006, 21:26:04] - BHO 4: {5CA3D70E-1895-11CF-8E15-001234567890} (DriveLetterAccess)
    [02/02/2006, 21:26:04] - Finished Searching Browser Helper Objects
    [02/02/2006, 21:26:04] - Finishing up...
    [02/02/2006, 21:26:04] - A restart is needed.
    [02/02/2006, 21:26:11] - Attempting to Restart via STOP error (Blue Screen!)



    Here's the HJT log:


    Logfile of HijackThis v1.99.1
    Scan saved at 9:31:56 PM, on 2/2/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    C:\WINDOWS\System32\DVDRAMSV.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Apoint2K\Apoint.exe
    C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\System32\00THotkey.exe
    C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
    C:\WINDOWS\system32\TFNF5.exe
    C:\Program Files\Apoint2K\Apntex.exe
    C:\WINDOWS\system32\TPSMain.exe
    C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\system32\TPSBattM.exe
    C:\toshiba\ivp\ism\pinger.exe
    C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\RAMASST.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
    N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.libraries.rutgers.edu"); (C:\Documents and Settings\Dana\Application Data\Mozilla\Profiles\default\qho4iejj.slt\prefs.j s)
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5 Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Dana\Application Data\Mozilla\Profiles\default\qho4iejj.slt\prefs.j s)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
    O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
    O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
    O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
    O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
    O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
    O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
    O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\System32\ImapiRox.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
    Last edited by Keelhaul; 03-02-2006 at 03:32 AM. Reason: adding HJT log
  5. 03-02-2006  #4
    VopThis
    VopThis is offline Senior Member (Canada)
    Lets run the following scans in case something else is lying around:

    Please download, install, update and scan your system with the free (trial) version of Ewido trojan scanner:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
    5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
    6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.


    REBOOT.


    Place a shortcut to Panda ActiveScan on your desktop.


    Run the Panda ActiveScan shortcut.
    - Once you are on the Panda site click the Scan your PC button
    - A new window will open...click the Check Now button
    - Enter your Country
    - Enter your State/Province
    - Enter your e-mail address and click send
    - Select either Home User or Company
    - Click the big Scan Now button
    - If it wants to install an ActiveX component allow it
    - It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    - When download is complete, click on Local Disks to start the scan
    - When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.


    Post a Panda log back here, if anything is reported.



    How is your PC now behaving?
  6. 07-02-2006  #5
    Keelhaul
    Keelhaul is offline Newbie
    Sorry it took so long to reply. I'm not getting anymore popups

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 2:45:31 PM, 2/3/2006
    + Report-Checksum: 646FCCEB

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
    :mozilla.6:C:\Documents and Settings\Dana\Application Data\Mozilla\Profiles\default\qho4iejj.slt\cookies .txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.7:C:\Documents and Settings\Dana\Application Data\Mozilla\Profiles\default\qho4iejj.slt\cookies .txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.9:C:\Documents and Settings\Dana\Application Data\Mozilla\Profiles\default\qho4iejj.slt\cookies .txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    :mozilla.10:C:\Documents and Settings\Dana\Application Data\Mozilla\Profiles\default\qho4iejj.slt\cookies .txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@1shz2prbmdj6wvny-1sez2pra2dj6wjny-1kdzghqq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@a-1shz2prbmdj6wvny-1sez2pra2dj6wjnychczmaqq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@addcontrol[1].txt -> Spyware.Cookie.Addcontrol : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@data4.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wfkicndpiho.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    -> : Error during cleaning
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wfkoeoczkbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wfkywlajwco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wfliqjcpcgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjk4qmajaao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjkoqidzsfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjkosgcpwdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjkoumazgeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjkycmdzmap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjkyemajmho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjkyqlc5weq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjkyqndpwco.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjliknczgap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjliqodpkkp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjliugdjwbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjlocjczieo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjlosodzalo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjlyomazcfq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjmicjd5oho.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjmyaic5ekp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjmyqnajefp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjny-1idpek.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjny-1lcjwk.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjnycmcjibq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjnycodpscp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@e-2dj6wjnywkd5mco.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@ehealthcaresolutions.12 2.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@entrepreneur.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@finishline.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@highbeam.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@jcrew.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@msnportal.112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@saksfifthavenue.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@tribuneinteractive.122. 2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@usnews.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4gnd5oepaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkykgczigqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyohazigqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wflikmajshpaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4cjdzedoaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkogicjcapwmdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4klcpkhpgwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloqnczmbpqwdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiwkcpmlpaydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmyaic5kfpgudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyahdzkhqqsdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyaoajclowsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycoazkhowidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygmdpclpqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyoldjolpasdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyomdpgfogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyukd5ecogudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyupajadoqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Dana\Cookies\dana@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\Documents and Settings\Dana\Local Settings\Temporary Internet Files\Content.IE5\8XMNCDE3\mm[1].js -> Spyware.Chitika : Cleaned with backup
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
    C:\WINDOWS\system32\yayxx.dll -> Adware.Virtumonde : Cleaned with backup


    ::Report End


    Panda Scan report:

    Incident Status Location
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dana\Local Settings\Temp\nsb23.tmp
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dana\Local Settings\Temp\nsd46.tmp
  7. 07-02-2006  #6
    VopThis
    VopThis is offline Senior Member (Canada)
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dana\Local Settings\Temp\nsb23.tmp
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Dana\Local Settings\Temp\nsd46.tmp
    Temp files are generally unwelcome garbage or worse. I automatically remove such content on a regular periodic basis.



    Download and run the freeware system optimization and privacy tool:
    CCleaner (Crap Cleaner)
    http://www.ccleaner.com/ccdownload.asp

    It removes unnecessary junk from your computer allowing it to run more efficiently and securely.

    You may get more optimal cleaning if you run it in SAFEMODE – while rebooting and at the beep keep tapping the F8 key.


    Once installed, you will notice an Online Help link at the bottom left. An Updates checking link is provided at the bottom right. When first run in its DEFAULT opening setup – Cleaner Settings (Windows TAB is selected) :
    • Uncheck ‘Cookies’ option (advisable)
    • Click the ‘Analyse’ button.
    • Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.




    To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.



    ONLY ONCE you are as clean as possible from any needed cleanup steps - As a final cleanup step (after serious infection), it may be advisable to Reset and Re-enable your System Restore to remove any bad files that may have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

    PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.


    (Windows XP)
    c:\System Volume Information\_restore….
    To Turn OFF System Restore.
    1. Click the Start button.
    2. Right-click My Computer, and then click Properties.
    3. On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
    4. Click Apply.

    REBOOT.

    To Turn ON System Restore.
    1. Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
    2. Create new System Restore points.


    (Windows ME)
    c:\_RESTORE\TEMP\….
    See the following link for instructions:
    http://service1.symantec.com/SUPPORT...rc=sec_doc_nam




    To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:
    1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
      http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
      http://www.microsoft.com/windows/ie/default.asp
      • http://www.securityfocus.com/news/11273
        If you surf to questionable (blockable) parts of the Web, you could encounter sites that compromise your PC without any user interaction. In experiments [reported Aug 2005], Microsoft identified 752 specific addresses owned by 287 Web sites that contain programs able to install themselves on a completely unpatched Windows XP system. Also, be aware that the WinXP Service Pack 2 was an update that focused almost exclusively on security. Also reported was that a fully patched Windows XP SP2 system cannot be compromised by any such discovered rogue Web sites.

    2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using a real-time AV tool only one at a time), there are some good free Antivirus programs that are decent, including AVG and Avast!.
      AVG: http://free.grisoft.com/doc/1
      Avast: http://www.avast.com/eng/avast_4_home.html

    3. In addition to using Ad-aware, consider using another free malware scanning/removal program :
      Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
      Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
      MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx

    4. Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
      Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
      *** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
      Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za

      It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.

    5. Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
      Mozilla Firefox: http://www.mozilla.org/products/firefox/

    6. Consider increasing your browser security by using these programs:
      SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
      SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
    7. A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
      • Run the HiJackThis tool and select ‘Open the Misc Tools section’.
      • Next select ‘Open host file manager’ button.
      • Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
      • Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.

        EXCERPT:
        #start of lines added by WinHelp2002
        # [Misc A - Z]
        127.0.0.1 phpadsnew.abac.com
        127.0.0.1 a.abnad.net
        127.0.0.1 e.abnad.net
        127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
        .
        .
        .
        #end of lines added by WinHelp2002




    *Remember just like your primary anti-virus software, it is important to:
    • Keep all of these programs up-to-date, and
    • Use them on a regular basis.
    Last edited by VopThis; 10-02-2006 at 10:19 AM. Reason: typo
  8. 10-02-2006  #7
    Keelhaul
    Keelhaul is offline Newbie
    Save 20% on AVG Internet Security 2012 Suite!
    Followed all your advice and everything has been running smoothly. Thank you so much
+ Reply to Thread
« "Your computer is infected!" Tray Icon Message | Spyware has frozen my Desktop - please help! (RESOLVED) »