MY Hijack This log

**pjsrider** · 30-03-2006

Hello guys

I have been having some random pop ups that say microsoft internet explorer in the bar at the top, and say "Cannot find `sleepy****.com` make sure path or internet address is correct". I have no idea what this website is, and have never visited it. How do i get rid of this annoying pop up? Please help. Below is a copy of my hijack this log.

Thanks
Jay

Logfile of HijackThis v1.99.1
Scan saved at 7:52:50 PM, on 3/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Common Files\AOL\1134539180\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Sprint DSL virtual assistant\bin\mpbtn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Junie Counts\Local Settings\Temporary Internet

Files\Content.IE5\XGZ0SBUV\hijackthis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://store.presario.net/scripts/re...merfav&c=2c02&

lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://rd.yahoo.com/customize/yessen.../search/ie.htm

l
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://store.presario.net/scripts/re...merfav&c=1c02&

lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet

Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer =

http=127.0.0.1:9022
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program

Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program

Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program

Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft

Money\System\mnyviewer.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN

Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program

Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program

Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe"

-Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program

Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe " -boot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe

/AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft

Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program

Files\Motive\FirmwareUpdater\lib\SprintModemUpdate .jar"

com.motive.firmwareUpdater.client.SprintModemUpdat e
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1134539180\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital

Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Sprint virtual assistant.lnk = C:\Program Files\Sprint DSL virtual

assistant\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Update Page Content - C:\Program

Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program

Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program

Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=cons

umerfav&c=2c02&lc=0409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.co...b_site.cab?110

2303205169
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsof...site.cab?11365

60941312
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) -

http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{144FF754-8348-4ED2-8FCB-01DFA3169438}: NameServer =

209.26.88.30,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{144FF754-8348-4ED2-8FCB-01DFA3169438}: NameServer =

209.26.88.30,199.2.252.10
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program

Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet

Security\ISSVC.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner -

C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet

Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices,

Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe

**Neal** · 30-03-2006

Re do hijackthis and this time maximize notepad so it is readable and not spread out like it is now.

If that still produces a hijackthis log that is broken up try this:

I need you to post a new log single spaced as it makes things easier to read:

To remove the double spacing in your log, please do the following:

Please go to Start >> Run... and type notepad.exe
Hit OK.
Now go to Format and uncheck WordWrap.
Close Notepad.
Then post a new HijackThis log.

**pjsrider** · 30-03-2006

Sorry about that. Here is the fixed one. It still looks broken up to me. When i maximize note pad some of the lines still go past the edge.. what do i do to fix this so you can read it. I took of word wrap.

Thanks for the quick action.

Jay

Logfile of HijackThis v1.99.1
Scan saved at 10:15:54 PM, on 3/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Common Files\AOL\1134539180\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Sprint DSL virtual assistant\bin\mpbtn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1134539180\ee\aim6.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Junie Counts\Local Settings\Temporary Internet Files\Content.IE5\G9ARWH6N\hijackthis[1].exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/re...c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessen...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/re...c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:9022
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe " -boot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate .jar" com.motive.firmwareUpdater.client.SprintModemUpdat e
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134539180\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Sprint virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102303205169
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136560941312
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{144FF754-8348-4ED2-8FCB-01DFA3169438}: NameServer = 209.26.88.30,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{144FF754-8348-4ED2-8FCB-01DFA3169438}: NameServer = 209.26.88.30,199.2.252.10
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**Neal** · 30-03-2006

Welcome to DAL,

Create a folder such as C:\HJT or C:\Program Files\HJT and move HJT.exe into the newly created folder so we can have avaiable backups in case you fix the wrong thing or I make a mistake. Very important.

Go into add/remove program and remove:(IF FOUND)

Wild Tangent
viewpoint manager and any related to viewpoint

Reboot if anything was removed

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat

Run hijackthis and click on scan button and put checks next to these:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: YBIOCtrl Class - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [Windows Compliant] winole.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [Windows Compliant] winole.exe
O4 - HKCU\..\Run: [Windows Compliant] winole.exe

make sure all browser windows are closed and click FIX

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete if present:

C:\Program Files\WildTangent < folder
winole.exe
C:\Program Files\Viewpoint <folder

Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter each time you type in "Y" until black box disappears.

Then:

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Reboot

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start

Then go to the link below and get spybot and adaware and set up per instructions and run the scans and reboot between scans.

http://www.d-a-l.com/help/showthread.php?t=32403

After the above please post a new hijackthis log.

Thanks.

**pjsrider** · 02-04-2006

Thanks for the help. The R3 url searchhook wont go away. I am still having the annoying pop ups. Could the url searchhook be causing this? Do i need to run the hijack this program while in safe mode? Here is a copy of my hijack this log done about 2 mins ago.

Thanks again
Jay

Logfile of HijackThis v1.99.1
Scan saved at 9:43:53 PM, on 4/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Common Files\AOL\1134539180\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Sprint DSL virtual assistant\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Messenger\msmsgs.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/re...c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessen...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/re...c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:9022
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe " -boot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate .jar" com.motive.firmwareUpdater.client.SprintModemUpdat e
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134539180\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Sprint virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102303205169
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136560941312
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{144FF754-8348-4ED2-8FCB-01DFA3169438}: NameServer = 209.26.88.30,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{144FF754-8348-4ED2-8FCB-01DFA3169438}: NameServer = 209.26.88.30,199.2.252.10
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**Neal** · 02-04-2006

I wouldn't worry to much about the 02 there is no file attached just junk.

We need to do some scans now and see what turns up.

Run the Ewido scan first please

Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Post the log Ewido makes back here please.

Then...

http://www.kaspersky.com/virusscanner

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
o Scan Options:
- Scan Archives
- Scan Mail Bases
* Click OK
*Now under select a target to scan:
o Select My Computer
* This program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste that information in your next post.

**pjsrider** · 02-04-2006

Here is the ewido scan.. these are what was removed i believe.

Thanks
Jay

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:16:03 AM, 4/2/2006
+ Report-Checksum: EB989A6F

+ Scan result:

C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\jrc2006@earthlink.net\Cookies\j unie counts@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\jrc2006@earthlink.net\Cookies\j unie counts@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\jrc2006@earthlink.net\Cookies\j unie counts@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\jrc2006@earthlink.net\Cookies\j unie counts@paycounter[1].txt -> TrackingCookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\jrc2006@earthlink.net\Cookies\j unie counts@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@e-2dj6wflowpczkap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@e-2dj6wjk4elajghp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@e-2dj6wjkoqkdjacp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@e-2dj6wjkycndjofq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@e-2dj6wjkyejazecp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@e-2dj6wjlychazscp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@e-2dj6wjlyeld5kbo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@e-2dj6wjnycldpieo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@e-2dj6wjnyoldjklo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@hswmedia.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup
C:\Documents and Settings\Junie Counts\Application Data\Earthlink\6.0\pjscrfihnut@earthlink.net\Cooki es\junie counts@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Junie Counts\Cookies\junie counts@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Junie Counts\Cookies\junie counts@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Junie Counts\Cookies\junie counts@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Junie Counts\Cookies\junie counts@e-2dj6wgkywid5odp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Junie Counts\Cookies\junie counts@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Junie Counts\Cookies\junie counts@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Junie Counts\Cookies\junie counts@vip.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Junie Counts\Cookies\junie counts@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\Junie Counts\Cookies\junie counts@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\system32\xmtizaxf.fwn -> Hijacker.Small.js : Cleaned with backup

::Report End

**pjsrider** · 02-04-2006

Here is the kaspersky report.

Thanks
Jay

KASPERSKY ON-LINE SCANNER REPORT
Sunday, April 02, 2006 12

42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 2/04/2006
Kaspersky Anti-Virus database records: 185616

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 64615
Number of viruses found 1
Number of infected objects 1
Number of suspicious objects 0
Duration of the scan process 01:34:34

Infected Object Name Virus Name Last Action
C:\WINDOWS\system32\o Infected: Trojan-Downloader.BAT.Ftp.ag skipped

Scan process completed.

**Neal** · 02-04-2006

Hi,

Let's see if we can get this next:

C:\WINDOWS\system32\o...

Get the stinger here:
http://vil.nai.com/vil/stinger/

Stinger should get that file above, let me know what Stinger finds and deletes please.

Then...

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main check all boxes EXCEPT COOKIES
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and check everything EXCEPT FIREFOX COOKIES AND FIREFOX SAVED PASSWORDS
Click the Empty Selected button.

If you use Opera browser

Click Opera at the top and check everything EXCEPT COOKIES AND SAVED PASSWORDS
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

=================================================

Give me a new hijackthis log and feed back on Stinger and how your computer is behaving now. Thanks.

**pjsrider** · 03-04-2006

Hello, I saw nothing when i ran the stinger program...At least it did not say it deleted anything. I ran the other program and deleted everything. I followed the directions on the web site, not yours and i deleted the cookies.. which you said not to.. will this mess anything up? I am posting a new hijack this log as well. I had the pop ups apear just a few mins ago. they come in pairs and only happen about once a day. Should i hit print screen when they appear and then paste them into paint, so that you can see what i am talking about? If so please tell me how to do this so that you can see what you need to see.

Thanks for all the help

Jay

Logfile of HijackThis v1.99.1
Scan saved at 9:27:24 PM, on 4/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\PROMon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
C:\Program Files\Common Files\AOL\1134539180\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\VSTASCAN\vsaccess.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Sprint DSL virtual assistant\bin\mpbtn.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/re...c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessen...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/re...c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:9022
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe " -boot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~2\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate .jar" com.motive.firmwareUpdater.client.SprintModemUpdat e
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SPRINT~1\SMARTB~1\SprintDSLAlert.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134539180\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: UMAX VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Sprint virtual assistant.lnk = C:\Program Files\Sprint DSL virtual assistant\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Update Page Content - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\refreshpage.htm
O8 - Extra context menu item: View All Originals On Page - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102303205169
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136560941312
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{144FF754-8348-4ED2-8FCB-01DFA3169438}: NameServer = 209.26.88.30,199.2.252.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{144FF754-8348-4ED2-8FCB-01DFA3169438}: NameServer = 209.26.88.30,199.2.252.10
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

MY Hijack This log

MY Hijack This log

Similar Threads

Browser Hijack - Localhost Hijack

about:blank hijack - Hijack this log