cajun

Members
  • Content Count

    30
  • Joined

  • Last visited

Community Reputation

0 Neutral

About cajun

  • Rank
    Advanced Member
  1. I don't see an option to remove my post or replies. The issue is getting resolved at the link I inserted above. Admins disregard or delete this if you like, thanks,
  2. Oops, perhaps I should have posted this in the general problem forum? Let me know if I should move it over there. Thanks...
  3. Been awhile since I have had to drop in for some help here , learned my lessons ....for my fiance and her laptop though she likely downloaded a nifty new trojan in a 'windows needs a media codec update' file download; the codec install was not run but seems the likely cause of a/the rootkit. She has been over on the PCpitsop forum ( Cannot log onto Windows Vista, stop error and page fault) and has run out of luck...or responses for help anyway; Combofix has been the end-all fix suggestion over at the pit, but Combofix will not run or install properly from the desktop or from the command prompt or with the 'run' function. I did not try running Combofix under a different .exe name. Also, she is unable to log into windows Vista normally, so all of this work has been, and will likely have to be, done in safe mode (with networking); I am on her laptop and will continue to work on the problem from her laptop unless I should access the internet from another computer (no networking of computers in the house, just a wifi router with individual IP's so the problem seems contained to just her laptop) I am going to run and post a new HJT log (renaming HJT.exe and its file directory, to avoid counter malware). *Please visit the link above to see the work and scans done so far on the other forum; it was determined by GMER that there is a rootkit present. Also, the error Combofix gives is typed out verbatim on the other forum. If you would like me to copy anything over here to this forum just let me know, I figured for now I will keep it as clean and tidy as I can to get a clean start here for now. new HJT log (9-24-09): Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:48, on 2009-02-24 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Safe mode with network support Running processes: C:\Windows\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\jacked\jacktis\jacked.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net?cid=NET_mmhpset R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [iAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Users\Lorelei\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - https://h20364.www2.hp.com/CSMWeb/Customer/...DataManager.CAB O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- End of file - 8220 bytes
  4. Thanks Jane!! I plan to get a solid program with a resident shield and I'll do all I can on the rest of your instructions; very tru about end-user agreements. I am a little guilty there, though I do read them from time to time, I will practice that more. Thanks again and hopefully you wont see to much of me in the future Cajun
  5. This mess has been resolved with my old post. Thanks Jane and Administrators, please delete this post if you'd like. Anybody needing help regarding this matter (it's probably bigger than pop up issues), you can look in on my topic at: http://www.lavasoftsupport.com/index.php?showtopic=5014 Good Luck!
  6. Ok, here be the logs. Cid Help was in fact installed (probably due to the NetPumper mistake a while ago; bad advice from a friend. I know better to listen to my intuition after everything...NetPumper is probably the reason for the LOP, too) and un-installed with no problem; all others on the list are not present and registry should be clean of any of it; I have never installed MessengerPlus with sponsor (sounds bad). Also, here is a log from Ewido (quick scan, updated 5/3/07) after both delJob and HJT scanned. Plus, Norton scan checks out. Thanks a bunch and it looks like IE6 is okay. No pop ups anymore! ......................... Edit by CalamityJane: Pasting in logs for easier review -------------------------------------------------------- NO LOP JOBS FOUND -------------------------------------------------------- FILES IN TASKS FOLDER AppleSoftwareUpdate.job Symantec NetDetect.job -------------------------------------------------------- EXPORT APP DATA FOLDERS Volume in drive C is DRIVE_C Volume Serial Number is 4029-C016 Directory of C:\Documents and Settings\Sage\Application Data 05/03/2007 06:41 PM <DIR> . 05/03/2007 06:41 PM <DIR> .. 03/14/2006 10:15 AM <DIR> acccore 09/05/2005 01:04 AM <DIR> ACTIVE~1 Active Disk 09/11/2006 02:48 PM <DIR> Adobe 02/11/2007 11:37 AM <DIR> AdobeUM 02/28/2007 08:01 PM <DIR> Ahead 07/05/2006 03:48 PM <DIR> APPLEC~1 Apple Computer 01/31/2007 06:08 PM <DIR> ASCARO~1 Ascaron Entertainment 12/23/2006 06:08 AM <DIR> ATI 01/19/2007 12:42 AM <DIR> ATIMMC~1 ATI MMC 10/05/2006 12:44 AM <DIR> Creative 09/04/2005 10:20 PM <DIR> DESIGN~1 Design Science 01/15/2007 11:24 PM <DIR> DivX 09/02/2005 03:02 AM <DIR> Help 09/02/2005 12:07 AM <DIR> IDENTI~1 Identities 02/01/2007 10:06 PM <DIR> ImgBurn 12/02/2006 01:03 AM <DIR> INSTAL~1 InstallShield 09/04/2005 10:45 PM <DIR> Ipswitch 10/12/2006 11:49 AM <DIR> Lavasoft 09/02/2005 02:13 AM <DIR> LEADER~1 Leadertech 09/02/2005 04:14 AM <DIR> MACROM~1 Macromedia 07/12/2006 07:18 PM <DIR> MICROS~1 Microsoft 09/17/2005 10:52 PM <DIR> Mozilla 09/09/2005 08:07 PM <DIR> MSN6 11/09/2005 12:40 AM <DIR> MYGAME~1 My Games 09/07/2005 01:29 PM <DIR> Nikon 09/11/2006 04:23 PM <DIR> OURPIC~1 OurPictures 09/01/2006 10:05 AM <DIR> PLAYFI~1 PlayFirst 10/11/2006 04:45 PM <DIR> Real 01/10/2007 09:51 PM <DIR> Skype 02/02/2006 07:42 PM <DIR> SlySoft 12/14/2005 07:40 PM <DIR> Sun 07/12/2006 08:01 PM <DIR> SUPERA~1.COM SuperAdBlocker.com 09/02/2005 01:12 AM <DIR> Symantec 09/17/2005 10:52 PM <DIR> Talkback 01/31/2006 11:46 AM <DIR> THUMBS~1 ThumbsPlus 01/14/2007 02:06 AM <DIR> Uniblue 03/24/2007 10:29 AM <DIR> uTorrent 11/06/2005 03:33 PM <DIR> VIEWPO~1 Viewpoint 03/20/2007 03:35 PM <DIR> Winamp 02/13/2006 11:23 PM <DIR> Xfire 0 File(s) 0 bytes 42 Dir(s) 16,592,109,568 bytes free Volume in drive C is DRIVE_C Volume Serial Number is 4029-C016 Directory of C:\Documents and Settings\All Users\Application Data 05/03/2007 06:41 PM <DIR> . 05/03/2007 06:41 PM <DIR> .. 09/11/2006 02:48 PM <DIR> Adobe 09/08/2005 01:06 AM <DIR> Ahead 07/02/2006 12:54 AM <DIR> AOL 03/13/2006 11:35 PM <DIR> AOLDOW~1 AOL Downloads 10/12/2006 08:52 PM <DIR> APPLEC~1 Apple Computer 05/01/2007 10:54 PM <DIR> ATIMMC~1 ATI MMC 12/07/2006 10:48 PM <DIR> BLUETO~1 Bluetooth 01/13/2007 02:51 AM <DIR> Creative 02/13/2006 02:02 PM <DIR> DVDSHR~1 DVD Shrink 02/22/2006 08:45 PM <DIR> GTek 07/04/2006 11:36 AM <DIR> Ipswitch 10/30/2005 02:57 PM <DIR> MACROV~1 Macrovision 10/12/2006 11:49 AM <DIR> MICROS~1 Microsoft 09/09/2005 08:07 PM <DIR> MSN6 09/01/2006 10:05 AM <DIR> PLAYFI~1 PlayFirst 07/02/2006 11:23 PM <DIR> QUICKT~1 QuickTime 09/27/2006 12:18 AM <DIR> SECTAS~1 SecTaskMan 09/03/2005 10:58 PM <DIR> SPYBOT~1 Spybot - Search & Destroy 02/18/2006 12:06 AM <DIR> Support.com 07/10/2006 11:55 PM <DIR> Symantec 03/28/2006 03:34 PM <DIR> Trymedia 11/06/2005 03:33 PM <DIR> VIEWPO~1 Viewpoint 10/05/2005 10:02 PM <DIR> WINDOW~1 Windows Genuine Advantage 09/27/2006 08:59 PM <DIR> X10SET~1 X10 Settings 0 File(s) 0 bytes 26 Dir(s) 16,592,105,472 bytes free .................... Logfile of HijackThis v1.99.1 Scan saved at 6:44:33 PM, on 5/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\dllhost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\vssvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Fast.exe C:\WINDOWS\System32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\fast.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Multimedia\main\launchpd.exe C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\explorer.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe C:\Program Files\Ahead\Nero Recode\Recode.exe C:\WINDOWS\System32\imapi.exe C:\Program Files\Hijackdetector\HJT.exe O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - Startup: Shortcut to sgmain.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168767411890 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168767403281 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Iomega Activity Disk2 - Unknown owner - C:\WINDOWS\ O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe logitdeljoblog.txt hijackthisafterDeljob.log Report_Scan_20070503_193545.txt
  7. Ah, yes that was a bit vague...really just a blurb I thought I'd add while waiting for something else online; I will explain. If I remember correctly, I was concerned about the quality of my registry at the time. Many software and some hardware installs just didn't seem to be optimized and the performance I was getting seemed spotty and very low for my setup quality. Plus, my PC was working very hard most of the time during anything graphic intensive, even basic games like Icewindale 2, which is a relic for my box . Also, the brand new video card 's software I had just put in would not load, no matter how many ways I tried it; This was suspicious, because ATI catalyst software is quazi firmware and has been easily bumped from loading correctly in past experience, by severe registry problems or changes. Anyway, I thought it wouldn't hurt once I got the mess cleaned up (for the most part) and could rely that windows would load after a "repair" from the boot/install disc. However, I have SP1 with the core install disc, and wanted a clean re-install of SP2 (no SP1 write-overs, or half installs just in case). So, I uninstalled SP2 stand-alone through Add/Remove and on the next restart I got a crap ton of Flags from Norton's Auto protection for Vundo and many more; a deep scan afterwards found nothing and all has been well, except the weird IE registry add pop-up (which I listed as a separate topic of it's own, just two days ago) when I use IE6. The "repair" did work very well. All my programs are back up and my performance is better than it was before I started on this adventure; *others be warned though, most programs need a reinstall after a repair due to a wonky registry readjust*.-many programs will not work right, so reinstall all that you can. So that's that, I hope it makes more sense, let me know if it has any relevance or if I can produce any more helpful logs. Sorry my posts have been a little off. For some reason I hadn't seen your last two reply's to me Jane, including the reply from Dec. 19th...until I whent to add a reply. weird. All's well now Ooops, that's because I need to go to PAGE 2...sorry, special moment for me...happens.
  8. Ok, so here are HJT logs and Combofix logs before and after the Adaware SE scan with dat. files updated 4/30/07. Also, I did download the newest J2SE and will install after this post. Thanks so much Jane . Edit by CalamityJane: Pasting in most recent HijackThis log for easier review Logfile of HijackThis v1.99.1 Scan saved at 8:55:12 PM, on 5/2/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\dllhost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\vssvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Fast.exe C:\WINDOWS\System32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\fast.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\ATI Multimedia\main\launchpd.exe C:\Program Files\ATI Multimedia\main\ATIDtct.EXE c:\progra~1\intern~1\iexplore.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\Program Files\ATI Multimedia\main\ATISched.EXE C:\Program Files\Windows Media Player\WMPNSCFG.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\Program Files\Hijackdetector\HJT.exe O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Wmaitchbeepreadme] C:\Documents and Settings\All Users\Application Data\BoltFastWmaItch\Data Cash.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4 O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [inter shim] C:\DOCUME~1\Sage\APPLIC~1\OPTION~1\software window browse.exe O4 - Startup: Shortcut to sgmain.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168767411890 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1168767403281 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Iomega Activity Disk2 - Unknown owner - C:\WINDOWS\ O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ComboFixBEFOREAA.txt ComboFixAfter_AA_scan.txt hijackthisBEFOREAA.log hijackthisAfterAAscan.log
  9. just to let others know on this issue, I ended up removing SP2 for windows repair and re-install. Once I did, Norton and other scanners (ad-aware, Ewido) found all the Vundo and many traces of malware left over from all this. Just thought you should know. Hope it helps! OH!! Hi Jane! Didn't know you had responded...it's been monthes! Whent to Japan and all, but hey thanks. Don't know if you'll get these, but I will run Combo and HJT and post. Thanks for your reply!
  10. Some time ago I got a nasty bunch of Vundo trojan and busky trojan junk, with pmnnn.dll and a mess of malware from a "windows Media Player needs a new codec to view this file" false download. All the troubles and more were removed (after uninstalling SP2 and running every scan I could), but IE 6 still gets Registry software add popups when I open IE to browse; I never use IE 6 (love the Firefox), so I have just ignored it. But I would like to know what is lingering and how to get rid of it... So, here is my HJT log, let me know what I should do and thanks so much. I hope that this can broaden the trouble shooting for other members, too. The shear amount of scanning and processing done to un-root the last mess in my last posts, months ago, should help point out how weird this issue. Thanks! hijackthis.log
  11. Hi Jane, Thaks for the help on the Avenger backups, I guess I'm still a bit of a nOOb at this. No Vundo found and little activity for Windelf. Did we get it all already? I will display the log files and attach. The only problems I can note are the 888bar in control panel-> "add/remove" (possible it's stuck in windows memory?) and that Windows Firewall informs me of "network corruption, reset to default" when I click on the advanced tab under Control Panle->Windows Firewall. When I reset to default nothing changes, even after restart. But I don't have any problems getting online, or with any networking like printers, etc...so far. However, my Digipower multi card reader USB device drivers did corrupt in all this and I had to remove it (crashing problems, interference with other programs and crashing those programs, etc. Their drivers are pretty bad though, they are not MS signed). Let me know if you have any ideas. Oh, and those "Not a virus. Hacktool, crack" files in the Ewido scan are for LEGITIMATE Oblivion mods and possibly some other games, or should be anyway. Thanks again Jane and let me know what, if anything is next. WidElf: WIN32DELFKIL LOGFILE - by Marckie version 3.114 Wed 12/13/2006 16:24:56.01 running from: "C:\Documents and Settings\Sage\Desktop" --- File(s) found in Windows directory --- --- File(s) found in system32 folder --- --- Services --- --- Export SharedTaskScheduler key --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" --- Notify key --- Vundo fix: VundoFix V6.2.13 Checking Java version... Java version is 1.5.0.6 Java version is 1.5.0.9 Scan started at 4:34:47 PM 12/13/2006 Listing files found while scanning.... No infected files were found. VundoFix.txt windelf.txt
  12. Okay Jane, here are the HJT and Avenger logs files. I will assume the backups you need are the zip files associated with Avenger that say 'backup.zip', but there is "backups" from HJT; let me know if you need something else; I got a Panda scan in and an ewido scan. Attached are Backups for HJT on 12/05, then Avenger backup.zip and final the Ewido scan; Panda scan is in last part of post. System is pretty quite, except that I still have an entry of 888bar in the "add/remove programs" under control panel. When I go to uninstall it, it wants to uninstall a game (Port Royale 2) on my slave SATA drive (H:\)... 888bar does seem to have been removed though. Thanks! HJT: Logfile of HijackThis v1.99.1 Scan saved at 2:40:57 AM, on 12/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\SYMANT~1\VPTray.exe C:\WINDOWS\system32\fast.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Support.com\bin\tgcmd.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\CTXFIHLP.EXE C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\WINDOWS\SYSTEM32\CTXFISPI.EXE C:\WINDOWS\CTHELPER.EXE C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\ATI Multimedia\main\launchpd.exe C:\Program Files\ATI Multimedia\main\ATIDtct.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Valve\Steam\Steam.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\Symantec AntiVirus\SavRoam.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\System32\ups.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\System32\vssvc.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\Fast.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Sage\Desktop\Malware Fix for Pmnn\HJT.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 -noicon O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe" O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE O4 - HKCU\..\Run: [steam] C:\Program Files\Valve\Steam\Steam.exe -silent O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - Startup: Shortcut to sgmain.lnk = C:\Program Files\SpywareGuard\sgmain.exe O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\googletoolbar.dll/cmbacklinks.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\googletoolbar.dll/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\googletoolbar.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\googletoolbar.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - http://www.creative.com/su/ocx/15015/CTSUEng.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127014390687 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128574823203 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Iomega Activity Disk2 - Unknown owner - C:\WINDOWS\ O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Avenger: Logfile of The Avenger version 1, by Swandog46 Running from registry key: \Registry\Machine\System\CurrentControlSet\Services\hgbgvwha ******************* Script file located at: \??\C:\WINDOWS\mcrfjcvc.txt Script file opened successfully. Script file read successfully Backups directory opened successfully at C:\Avenger ******************* Beginning to process script file: File C:\WINDOWS\g892875.dll deleted successfully. File C:\WINDOWS\system32\drvdet.dll deleted successfully. File C:\WINDOWS\system32\pbaotjsl.dll deleted successfully. File C:\WINDOWS\system32\xwqvhmlb.dll deleted successfully. File C:\WINDOWS\system32\tnmlxtoh.dll deleted successfully. File C:\WINDOWS\system32\xgucbpax.exe deleted successfully. File C:\WINDOWS\system32\cbugdolu.dll deleted successfully. File C:\WINDOWS\system32\mljhedc.dll deleted successfully. File C:\WINDOWS\system32\wnsapisv.exe deleted successfully. Folder C:\Documents and Settings\Sage\Application Data\SearchToolbarCorp deleted successfully. Completed script processing. ******************* Finished! Terminate. Panda Scan: Incident Status Location Adware:Adware/WebSearch Not disinfected C:\avenger\backup.zip[avenger/cbugdolu.dll] Adware:Adware/DriveCleaner Not disinfected C:\avenger\backup.zip[avenger/drvdet.dll] Spyware:Spyware/Virtumonde Not disinfected C:\avenger\backup.zip[avenger/mljhedc.dll] Spyware:Spyware/Virtumonde Not disinfected C:\avenger\backup.zip[avenger/pbaotjsl.dll] Spyware:Spyware/Virtumonde Not disinfected C:\avenger\backup.zip[avenger/tnmlxtoh.dll] Potentially unwanted tool:Application/VSToolbar Not disinfected C:\avenger\backup.zip[avenger/xgucbpax.exe] Adware:Adware/WebSearch Not disinfected C:\avenger\backup.zip[avenger/xwqvhmlb.dll] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Sage\Application Data\Mozilla\Firefox\Profiles\default.c58\cookies.txt[.atwola.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Sage\Application Data\Mozilla\Firefox\Profiles\default.c58\cookies.txt[.statcounter.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Sage\Cookies\[email protected][1].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Sage\Cookies\[email protected][1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Sage\Cookies\[email protected][1].txt Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Sage\Cookies\[email protected][1].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Sage\Cookies\[email protected][2].txt Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Sage\Cookies\[email protected][1].txt Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Sage\Cookies\[email protected][1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sage\Desktop\Malware Fix for Pmnn\SmitfraudFix.zip[smitfraudFix/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sage\Desktop\Smitfraud\Process.exe Possible Virus. Not disinfected C:\Documents and Settings\Sage\My Documents\SAGE'S Docu.'s\My NEW Received Files\Internet, Instant Messanger and (antispyware) Utilities\Adware Spyware Tools and Programs\Ewido Anti-spyware\ewido.anti.spyware.v4.0.x.xxx.patch.icu.zip[ewido.anti-spyware.v4.0.x Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sage\My Documents\SAGE'S Docu.'s\My NEW Received Files\Internet, Instant Messanger and (antispyware) Utilities\Adware Spyware Tools and Programs\smitRem\Process.exe Possible Virus. Not disinfected C:\Documents and Settings\Sage\My Documents\SAGE'S Docu.'s\My NEW Received Files\Internet, Instant Messanger and (antispyware) Utilities\Adware Spyware Tools and Programs\smitRem\swreg.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Sage\My Documents\SAGE'S Docu.'s\My NEW Received Files\Internet, Instant Messanger and (antispyware) Utilities\Adware Spyware Tools and Programs\smitRem.exe[smitRem/Process.exe] Possible Virus. Not disinfected C:\Documents and Settings\Sage\My Documents\SAGE'S Docu.'s\My NEW Received Files\Internet, Instant Messanger and (antispyware) Utilities\Adware Spyware Tools and Programs\smitRem.exe[smitRem/swreg.exe] backupsHJT.zip Report_Scan_20061208_122804.txt
  13. Thanks a bunch and here is SmitFraud log. Let me know what you think, I am not changing anything in Services or startup until it looks okay here....oh, also if it is possible to modify the heading to this title please let me know (can't figure out how if I can do it, thinking not), so other people can better find it. The correct title to this mess should be pmnnn.dll; there are 3 N's in the dastardly devious .dll file name, not 2. Thanks SmitFraudFix v2.128 Scan done at 1:45:34.64, Tue 12/05/2006 Run from C:\Documents and Settings\Sage\Desktop\Smitfraud OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "{1a01a98c-4f25-42e1-971a-185cf63569b2}"="expatriates" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End
  14. Yeah, um Pmnnn.dll defiantly not gone yet. You are/were very right Jane. The method above did help, but when I turned several services back on in the Startup tab of MSconfig, I got Spywareguard picking up that BHO entry again from Pmnnn.dll. However, it appears it came from a temp, or quarantined/restore file maybe, because Norton swiped it clean and easy the first time and Spywaregaurd was able to remove and hold the removal of the BHO, where as I kept getting the detection of my IE homepage being changed unless I shut SG down, before. But, I am still getting the adware-taskbar-popup crap about my system being infected. So, trying different startup services one at a time, I found that the selection "drvdet" in: 'rundll32.exe C:\WINDOWS\system32\drvdet.dll,startup' was/is the item causing the issue. Now, I am doing fine if I don't turn the startup option on, but does the system benefit from "drvdet" at startup and how can I clean it if so? Thanks