Please help - HijackThis logfile analysis for spyware

Unknown
edited March 2005 in Spyware & Virus Removal
Okay so I went out today and came back to 14 popups. I realized i had websearch toolbar, virtual bouncer, and adestroyer added to my start menu. I rebooted in safe mode, deleted all these files through control panel, deleted the directories from my program files, rebooted in normal mode, and everything appeared okay. AFter about 5 minutes of websearching and thinking everything was okay, i closed IE and all of that crap reinstalled itself on my computer. Now I'm back to getting pop-ups every minute or so claiming to be from the programs mentioned before and some from Ceres. I had the following logfile...

Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 5:03:34 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\edkcs32i.exe
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\pacis.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\exp.exe
C:\PROGRA~1\VBouncer\VIRTUA~1.EXE
c:\windows\system32\mpjygj.exe
c:\windows\system32\calc.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\PROGRA~1\Toolbar\TBPSSvc.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\temp\salm.exe
C:\WINDOWS\zeta.exe
C:\Documents and Settings\Evan Schuman\Desktop\Cleanup programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50221
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50221
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50221
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\ceres.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\system32\rtneg2.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [edkcs32i] C:\WINDOWS\system32\edkcs32i.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [mpjygj] c:\windows\system32\mpjygj.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\system32\ap9h4qmo.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [fsf] C:\WINDOWS\fsf.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://qp1.csom.umn.edu/qp2.cab
O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} (PCRHTML3.HTML1) - http://caps.pcrecruiter.com/pcrimg/PCRHTML.CAB
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096580807437
O16 - DPF: {8FAC20B4-0B1D-4BAC-BCE0-59DA519DEE67} (PCRALM.ALARM1) - http://caps.pcrecruiter.com/pcrimg/PCRALM.CAB
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0018.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0003.exe
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://www.cars.csom.umn.edu/viewer/activeXViewer/activexviewer.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Then I went back into safe mode, and I removed the following programs from my add/remove programs (they just kept coming):
adestroyer
elitebar IE bar
internet optimizer
internet offers
media access
shopathome
surfSidekick
bullseyenetwork
wintools easy installer
1800searchtoolbar
virtual bouncer
websearch toolbar

Then I re-ran my Spybot S&D and Ad-aware again. I am not in safe mode with networking and I'm afraid to start in normal mode in fear that I will get all those spyware/adware programs. My current log-file is the following:

Logfile of HijackThis v1.99.1
Scan saved at 5:58:19 PM, on 3/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Evan Schuman\Desktop\Cleanup programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [edkcs32i] C:\WINDOWS\system32\edkcs32i.exe
O4 - HKLM\..\Run: [PaciSoft] C:\WINDOWS\system32\pacis.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [mpjygj] c:\windows\system32\mpjygj.exe
O4 - HKLM\..\Run: [27rQ3nQ] mplrsfr.exe
O4 - HKLM\..\Run: [etbrun] c:\windows\system32\eliteyfp32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
O4 - HKLM\..\Run: [yrmw] C:\WINDOWS\system32\orvhj\yrmw.exe
O4 - HKLM\..\Run: [lmsffdhj] C:\WINDOWS\system32\kcpgfuug\lmsffdhj.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINDOWS\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINDOWS\Temp\WTuninst.exe /remove
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
O4 - HKCU\..\Run: [Jw04RhcmX] mp4libnt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://qp1.csom.umn.edu/qp2.cab
O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} (PCRHTML3.HTML1) - http://caps.pcrecruiter.com/pcrimg/PCRHTML.CAB
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096580807437
O16 - DPF: {8FAC20B4-0B1D-4BAC-BCE0-59DA519DEE67} (PCRALM.ALARM1) - http://caps.pcrecruiter.com/pcrimg/PCRALM.CAB
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupdatednews.com/install/aun_0018.exe
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0003.exe
O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://www.cars.csom.umn.edu/viewer/activeXViewer/activexviewer.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Please help!!! thanks, evan

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    You have quite the collection of junk. Follow these steps to run some removal programs. If you have problems with any of them, just skip that step and proceed to the next one.


    STEP ONE
    Download and run Microsoft's Antispyware application.

    http://www.microsoft.com/athome/security/spyware/software/default.mspx

    Remove everything that it finds.



    STEP TWO
    Please follow these instructions to run Adware.
    • Download, install, update, configure, and run Ad-Aware SE Personal 1.05.
      1. Download Ad-Aware SE Personal 1.05:
      2. Install Ad-Aware SE Personal 1.05:
        • Double-click on aawsepersonal.exe to install the program.
        • Follow the default settings for installation.
        • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
      3. Update Ad-Aware SE Personal 1.05:
        • Double-click the Ad-Aware SE Personal icon on your desktop.
        • Click "Check for updates now" then click "Connect".
        • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
      4. Configure Ad-Aware SE Personal 1.05:
        • Click on the Gear button at the top of the window.
        • Click "General" on the left hand side to display the General Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Automatically save logfile"
            • "Automatically quarantine objects prior to removal"
            • "Safe Mode (always request confirmation)"
            • "Prompt to update outdated definitions" - change to 7 days from the default 14.
        • Click "Scanning" on the left hand side to display the Scan Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Scan within archives"
            • "Select drives & folders to scan" - select your hard drive(s).
            • "Scan active processes"
            • "Scan registry"
            • "Deep-scan registry"
            • "Scan my IE favorites for banned URLs"
            • "Scan my Hosts file"
        • Click "Advanced" on the left hand side to display the Advanced Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Move deleted files to Recycle Bin"
            • "Include additional object information"
            • "Include negligible objects information"
            • "Include environment information"
        • Click "Defaults" on the left hand side to display the Default Settings box.
          • Make sure these items have your preferred settings in them.:
            • "Default homepage"
            • "Default searchpage"
        • Click "Tweak" on the left hand side to display the Tweak Settings box.
          • Click the + (plus) sign next to the Log Files section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Include basic Ad-Aware settings in log file"
            • "Include additional Ad-Aware settings in log file"
            • "Include reference summary in log file"
            • "Include alternate data stream details in log file"
          • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Unload recognized processes & modules during scan"
            • "Scan registry for all users instead of current user only"
            • "Obtain command line of scanned processes"
          • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Always try to unload modules before deletion"
            • "During removal, unload Explorer and IE if necessary"
            • "Let Windows remove files in use at next reboot"
            • "Delete quarantined objects after restoring"
        • Once you are done with these settings, click "Proceed" to save them.
        • This will take you back to the main screen.
      5. Run Ad-Aware SE Personal 1.05:
        • Click the "Start" button.
        • Uncheck the "Search for negligible risk entries" entry.
        • Choose the "Use custom scanning options" scan mode.
        • Click the "Next" button.
        • Ad-Aware will begin to scan for malware residing on your computer.
        • Allow the scan to finish.
        • Right-click on any entry in the list and click "Select All" to select the whole list.
        • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.




    STEP THREE
    Please download CWShredder and run it, making sure to click "Fix".
    http://cwshredder.net/bin/CWSInstall.exe



    STEP FOUR
    Please run these two online scans.
    Make sure they are set to clean automatically:

    http://www.bitdefender.com/scan/licence.php

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    If there are files that can not be removed by the scans please include that information in your next post.



    Reboot and post a new hijackthis log. Let me know of any problems.
  • BoyWonderZ
    edited March 2005
    Thank you for the advice. I have been scanning and cleaning for 3 hours now. Here is what has been going on:

    1) I downloaded and ran the MSFT program and it cleared 33 bugs.
    2) I re-downloaded ad-aware, and 5 minutes into setting it up i got bombarded with pop-ups (30/minute).
    3) I disconnected from the network to avoid popups
    4) I reran the MSFT program - deleted all of them
    5) I rebooted in safe mode
    6) I ran ad-aware with the settings you recommended - fixed all of them
    7) I ran CWShredder - no problems found
    8) I ran Spybot S&D and deleted everything. Could not delete 2 reg files so I rebooted in safe mode again to run Spybot prior to boot. Repeated a few times and kept getting a similar report to this:

    Hotbar: Tracking cookie (Internet Explorer: Evan Schuman) (Cookie, fixed)


    AbetterInternet: Data (File, fixed)
    C:\WINDOWS\inf\farmmext.inf

    CallingHome.biz: <$DIR_TEMP> (Directory, fixed)
    C:\Documents and Settings\Evan Schuman\Local Settings\Application Data\..\Temp\THI621.tmp

    CallingHome.biz: <$DIR_TEMP> (Directory, fixed)
    C:\Documents and Settings\Evan Schuman\Local Settings\Application Data\..\Temp\THI5C47.tmp

    CallingHome.biz: <$DIR_TEMP> (Directory, fixed)
    C:\Documents and Settings\Evan Schuman\Local Settings\Application Data\..\Temp\THI3AF4.tmp

    CallingHome.biz: <$DIR_TEMP> (Directory, fixed)
    C:\Documents and Settings\Evan Schuman\Local Settings\Application Data\..\Temp\THI369D.tmp

    Elitum.EliteBar: Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-18\Software\LQ

    Elitum.EliteBar: Settings (Registry key, fixing failed)
    HKEY_USERS\S-1-5-21-3344167508-1604278677-3497227341-1007\Software\LQ

    Elitum.EliteBar: Settings (Registry key, fixing failed)
    HKEY_USERS\.DEFAULT\Software\LQ

    9) Then I rebooted in safe mode with networking to run the scans

    With BitDefender, these are the bugs it found (and could or couldn't fix):
    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\1.exe=>(NSIS o)=>zlib_nsis0001
    Infected with: Trojan.Downloader.Agent.AF

    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\1.exe=>(NSIS o)=>zlib_nsis0001
    Disinfection failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\1.exe=>(NSIS o)=>zlib_nsis0001
    Deleted

    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\1.exe=>(NSIS o)
    Update failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\bpc_inst_1006.exe=>(NSIS o)=>zlib_nsis0001
    Detected with: Application.Adware.BPC.A

    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\bpc_inst_1006.exe=>(NSIS o)=>zlib_nsis0001
    Disinfection failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\bpc_inst_1006.exe=>(NSIS o)=>zlib_nsis0001
    Deleted

    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\bpc_inst_1006.exe=>(NSIS o)
    Update failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\msdioo.exe
    Infected with: Trojan.Small.I

    C:\Documents and Settings\Evan Schuman\Local Settings\Temp\msdioo.exe
    Deleted

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\CD63GTYZ\download[1].htm
    Infected with: Exploit.Html.Codebase.Exec.Gen

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\CD63GTYZ\download[1].htm
    Disinfection failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\CD63GTYZ\download[1].htm
    Deleted

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\W9QRCDUF\download[1].htm
    Infected with: Exploit.Html.Codebase.Exec.Gen

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\W9QRCDUF\download[1].htm
    Disinfection failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\W9QRCDUF\download[1].htm
    Deleted

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\0324[1].exe=>(NSIS o)=>zlib_nsis0001
    Infected with: Trojan.Downloader.Agent.AF

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\0324[1].exe=>(NSIS o)=>zlib_nsis0001
    Disinfection failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\0324[1].exe=>(NSIS o)=>zlib_nsis0001
    Deleted

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\0324[1].exe=>(NSIS o)
    Update failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\download[2].htm
    Infected with: Exploit.Html.Codebase.Exec.Gen

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\download[2].htm
    Disinfection failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\download[2].htm
    Deleted

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\download[3].htm
    Infected with: Exploit.Html.Codebase.Exec.Gen

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\download[3].htm
    Disinfection failed

    C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\YGG168PR\download[3].htm
    Deleted

    C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
    Detected with: Adware.Wheaterbug.A

    C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
    Disinfection failed

    C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
    Deleted

    C:\Program Files\AIM\Sysfiles\WxBug.EXE
    Update failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP24\A0062884.exe
    Detected with: Adware.Apropos.B

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP24\A0062884.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP24\A0062884.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP25\A0063075.exe
    Detected with: Application.Adware.BPC.A

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP25\A0063075.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP25\A0063075.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP25\A0063099.exe
    Infected with: Trojan.Small.I

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP25\A0063099.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063179.exe
    Detected with: Adware.Tbbar.A

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063179.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063179.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063180.exe
    Detected with: Adware.Tbbar.A

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063180.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063180.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063206.exe
    Detected with: Adware.Tbbar.A

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063206.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063206.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063219.dll
    Detected with: Adware.BetterInet.B

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063219.dll
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063250.exe
    Detected with: Adware.Apropos.B

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063250.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063250.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063270.dll
    Detected with: Adware.BetterInet.B

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0063270.dll
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063282.exe
    Infected with: Trojan.Downloader.Stubby.A

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063282.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063282.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063288.dll
    Detected with: Adware.BetterInet.B

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063288.dll
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063297.exe
    Suspected of: BehavesLike:Trojan.Downloader

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063297.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063297.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063299.exe=>(NSIS o)=>lzma_nsis0001
    Detected with: Application.Adware.BookedSpace.A

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063299.exe=>(NSIS o)=>lzma_nsis0001
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063299.exe=>(NSIS o)=>lzma_nsis0001
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063299.exe=>(NSIS o)
    Update failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063307.exe
    Infected with: Trojan.Dropper.Small.MR

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063307.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063307.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063309.exe=>(NSIS o)=>zlib_nsis0002
    Suspected of: Trojan.Downloader.Small.Gen

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063309.exe=>(NSIS o)=>zlib_nsis0002
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063309.exe=>(NSIS o)=>zlib_nsis0002
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063309.exe=>(NSIS o)
    Update failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063311.exe
    Infected with: Trojan.Small.I

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0063311.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0058011.exe
    Detected with: Adware.Apropos.B

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0058011.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0058011.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0058026.exe
    Detected with: Adware.Prevad.A

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0058026.exe
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0058026.exe
    Deleted

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0058031.dll
    Detected with: Adware.Wheaterbug.A

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0058031.dll
    Disinfection failed

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0058031.dll
    Deleted

    C:\WINDOWS\SYSTEM\loqn.exe
    Suspected of: Trojan.Downloader.Small.Gen

    C:\WINDOWS\SYSTEM\loqn.exe
    Disinfection failed

    C:\WINDOWS\SYSTEM\loqn.exe
    Deleted

    F:\Programs\Install_AIM.exe=>wise0041=>wise0008
    Detected with: Adware.Wheaterbug.A

    F:\Programs\Install_AIM.exe=>wise0041=>wise0008
    Disinfection failed

    F:\Programs\Install_AIM.exe=>wise0041=>wise0008
    Deleted

    F:\Programs\Install_AIM.exe=>wise0041
    Update failed

    10) This is my readout from the Panda program:
    Adware:Adware/eZula No disinfected C:\WINDOWS\system32\sysfile.dll
    Adware:Adware/SaveNow No disinfected Windows Registry
    Adware:Adware/BookedSpace No disinfected C:\WINDOWS\system32\bs?.dll
    Adware:Adware/Apropos No disinfected Windows Registry
    Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Evan Schuman\Application Data\sskknwrd.dll
    Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
    Adware:Adware/BroadcastPC No disinfected Windows Registry
    Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Evan Schuman\Application Data\sskknwrd.dll
    Adware:Adware/Transponder No disinfected Windows Registry
    Adware:Adware/nCase No disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temp\DelBB.tmp
    Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temp\i2E.tmp
    Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temp\ms2D.tmp
    Virus:W32/Gaobot.batch Disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temp\r.bat
    Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temp\uninstall.exe
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\07QTCXOA\TBPSSvc[1].cab[TBPSSvc.exe]
    Virus:Bck/Paci.A Disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\0TQJO1MZ\pcs_0003[1].exe
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\BO64GKSZ\newmajorse2[1].cab
    Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\BO64GKSZ\newmajorse2[1].cab[newmajorse2.txt]
    Virus:Trj/Downloader.KW Disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\JNPCMOVJ\mmviewer_101[1].cab
    Adware:Adware/Apropos No disinfected C:\Documents and Settings\Evan Schuman\Local Settings\Temporary Internet Files\Content.IE5\U4AZQJJ2\AproposClientInstaller[1].exe
    Adware:Adware/StartPage.DD No disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\protector_update[1].exe
    Possible Virus. No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
    Virus:W32/Sdbot.CKD.worm Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\842DF287-E83D-41E8-9E3A-ECD150\3172350C-641A-459B-AEB9-6C42C7
    Adware:Adware/StartPage.DD No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\907896F1-C5A0-4367-B55C-80A688\AFF48314-5121-4E44-B8C5-48712D
    Virus:Trj/Downloader.AYV Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C6AE9B1B-8DE5-4F0E-AE2D-35EEF2\D202BBCB-D0AB-4120-A77A-CF23AA
    Virus:Trj/Downloader.AYV Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\C6AE9B1B-8DE5-4F0E-AE2D-35EEF2\E0DB9AF8-C5EB-4E53-BE7C-10F8C3
    Virus:Bck/Paci.A Disinfected C:\WINDOWS\Downloaded Program Files\pcs_0003.exe
    Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\ceres.inf
    Adware:Adware/StartPage.DD No disinfected C:\WINDOWS\SYSTEM32\eliteggo32.exe
    Adware:Adware/StartPage.DD No disinfected C:\WINDOWS\SYSTEM32\elitegjs32.exe
    Adware:Adware/StartPage.DD No disinfected C:\WINDOWS\SYSTEM32\elitehxw32.exe
    Spyware:Spyware/ClientMan No disinfected C:\WINDOWS\SYSTEM32\mseggo.gif
    11) Finally, I ran HijackThis for a new log:
    Logfile of HijackThis v1.99.1
    Scan saved at 12:37:22 AM, on 3/27/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Evan Schuman\Desktop\Cleanup programs\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
    O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [edkcs32i] C:\WINDOWS\system32\edkcs32i.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
    O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
    O4 - HKLM\..\Run: [yrmw] C:\WINDOWS\system32\orvhj\yrmw.exe
    O4 - HKLM\..\Run: [lmsffdhj] C:\WINDOWS\system32\kcpgfuug\lmsffdhj.exe
    O4 - HKLM\..\Run: [rqwu] C:\WINDOWS\system32\filpj\rqwu.exe
    O4 - HKLM\..\Run: [njbo] C:\WINDOWS\system32\iwag\njbo.exe
    O4 - HKLM\..\Run: [rmefu] C:\WINDOWS\system32\cysdvlwn\rmefu.exe
    O4 - HKLM\..\Run: [apmwrhku] C:\WINDOWS\system32\tgfsrhbp\apmwrhku.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteyfp32.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://qp1.csom.umn.edu/qp2.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} (PCRHTML3.HTML1) - http://caps.pcrecruiter.com/pcrimg/PCRHTML.CAB
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096580807437
    O16 - DPF: {8FAC20B4-0B1D-4BAC-BCE0-59DA519DEE67} (PCRALM.ALARM1) - http://caps.pcrecruiter.com/pcrimg/PCRALM.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0003.exe
    O16 - DPF: {F2CA2115-C8D2-11D1-BEBD-00A0C95A6A5C} (WebReportSource Class) - http://www.cars.csom.umn.edu/viewer/activeXViewer/activexviewer.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: apmwrhkutgfsrhbp - Unknown owner - C:\WINDOWS\system32\tgfsrhbp\apmwrhku.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: rmefucysdvlwn - Unknown owner - C:\WINDOWS\system32\cysdvlwn\rmefu.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    I am still in safe mode because I'm afraid of getting that huge mail pop-up bombardment again. I want to try to clean everything in here because I fear the malware pigeon-holing again in normal mode. Please offer any advice of how to remove the files that any of the programs found but did not remove and/or are apparent from my HijackThis logfile.

    I appreicate the help and I'll check back tomorrow. Happy Easter!
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Happy Easter to you too!


    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKLM\..\Run: [edkcs32i] C:\WINDOWS\system32\edkcs32i.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\IEXPLOR.EXE] C:\WINDOWS\IEXPLOR.EXE
    O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe
    O4 - HKLM\..\Run: [yrmw] C:\WINDOWS\system32\orvhj\yrmw.exe
    O4 - HKLM\..\Run: [lmsffdhj] C:\WINDOWS\system32\kcpgfuug\lmsffdhj.exe
    O4 - HKLM\..\Run: [rqwu] C:\WINDOWS\system32\filpj\rqwu.exe
    O4 - HKLM\..\Run: [njbo] C:\WINDOWS\system32\iwag\njbo.exe
    O4 - HKLM\..\Run: [rmefu] C:\WINDOWS\system32\cysdvlwn\rmefu.exe
    O4 - HKLM\..\Run: [apmwrhku] C:\WINDOWS\system32\tgfsrhbp\apmwrhku.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteyfp32.exe
    O23 - Service: apmwrhkutgfsrhbp - Unknown owner - C:\WINDOWS\system32\tgfsrhbp\apmwrhku.exe
    O23 - Service: rmefucysdvlwn - Unknown owner - C:\WINDOWS\system32\cysdvlwn\rmefu.exe


    Reboot your computer into Safe Mode

    Then delete these files or directories (Do not be concerned if they do not exist):

    C:\WINDOWS\IEXPLOR.EXE
    C:\WINDOWS\farmmext.ini
    C:\WINDOWS\system32\edkcs32i.exe
    C:\WINDOWS\system32\orvhj <-- this folder
    C:\WINDOWS\system32\kcpgfuug <-- this folder
    C:\WINDOWS\system32\filpj <-- this folder
    C:\WINDOWS\system32\iwag <-- this folder
    C:\WINDOWS\system32\cysdvlwn <-- this folder
    C:\WINDOWS\system32\tgfsrhbp <-- this folder
    C:\windows\system32\eliteyfp32.exe
    C:\WINDOWS\SYSTEM32\eliteggo32.exe
    C:\WINDOWS\SYSTEM32\elitegjs32.exe
    C:\WINDOWS\SYSTEM32\elitehxw32.exe
    C:\WINDOWS\SYSTEM32\mseggo.gif
    C:\WINDOWS\system32\sysfile.dll
    C:\Documents and Settings\Evan Schuman\Application Data\sskknwrd.dll
    C:\WINDOWS\Downloaded Program Files\pcs_0003.exe
    C:\WINDOWS\INF\ceres.inf



    Delete temp files

    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the Recycle Bin.


    Reboot your computer to go back to normal mode and post a new log.
  • BoyWonderZ
    edited March 2005
    I followed all your steps, and rebooted in normal mode. I deleted all files except the elite*.* programs, which could not be found. I ran the MSFT spyware remover and it found one potential problem, which I deleted. Then I ran Spybot S&D and it came up with the following log (still cannot delete the elitebar crap):


    --- Search result list ---
    Advertising.com: Tracking cookie (Internet Explorer: Evan Schuman) (Cookie, fixed)


    Advertising.com: Tracking cookie (Internet Explorer: Evan Schuman) (Cookie, fixed)


    Avenue A, Inc.: Tracking cookie (Internet Explorer: Evan Schuman) (Cookie, fixed)


    DoubleClick: Tracking cookie (Internet Explorer: Evan Schuman) (Cookie, fixed)


    Elitum.EliteBar: Settings (Registry key, fixing failed)
    HKEY_USERS\S-1-5-18\Software\LQ

    Elitum.EliteBar: Settings (Registry key, fixing failed)
    HKEY_USERS\.DEFAULT\Software\LQ

    Then I ran HijackThis and came up with the following log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:42:08 AM, on 3/27/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\Dell\Media Experience\PCMService.exe
    C:\Program Files\D-Link\Air Utility\AirCFG.exe
    C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\Evan Schuman\Desktop\Cleanup programs\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fantasysports.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CloneDVDElbyDelay] "C:\Program Files\Elaborate Bytes\CloneDVD\ElbyCheck.exe" /L ElbyDelay
    O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Gaim] C:\Program Files\Gaim\gaim.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096580807437
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    Disable Spybot Teatimer and Microsoft Realtime Protection and have hijackthis fix these lines.

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank


    Reboot and post a new hijackthis log. Are you having any more problems?
  • BoyWonderZ
    edited March 2005
    No more pop-ups. Thank you.

    But every time i run Spybot i get the elitium.elitebar crap and it cannot delete them. CAn i manually delete these registry values in regedit?


    Elitum.EliteBar: Settings (Registry key, fixing failed)
    HKEY_USERS\S-1-5-18\Software\LQ

    Elitum.EliteBar: Settings (Registry key, fixing failed)
    HKEY_USERS\.DEFAULT\Software\LQ
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    You could find and remove them manually with regedit, but I wouldn't. Try running a regular registry cleaner to see if it picks them up as orphaned entries.

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

      You can find instructions on how to enable and reenable system restore here:

      Managing Windows Millenium System Restore

      or

      Windows XP System Restore Guide

      Renable system restore with instructions from tutorial above

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialize and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.

    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

    8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

    9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.
  • BoyWonderZ
    edited March 2005
    Thanks I took all those precautions. Does spywareblaster run when I do not have the program open? I do not see an icon in my system tray.
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited March 2005
    SpywareBlaster does not have to be running to protect you. Just be sure to update it and then enable all protection.
This discussion has been closed.