Please help with nail & company infection.

rocu

I've learned alot from the numerous other threads on this but it seems every solution is unique so here is my sad story. I changed my usual activeX settings so my daughter could get some seemingly innocent dollmaker site to work (eLouai.com, keep your kids away) and got infected with nail, auroura, bookedspace and the others that come with them. Norton, Kasparsky, ewido, AdAware, no help. Curiously, SpyBot S&D crashes to the desktop soon after I click the Fix Problems button.

Here is my Hijack log.

Help us Obi-Wan, you are our only hope

Roy

Logfile of HijackThis v1.99.1
Scan saved at 8:44:56 PM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\iuent.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system\gtxfve.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\WINDOWS\system32\inflman.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mud\Desktop\malware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitednf32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [775h36j] iuent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MwunRWH8g] inflman.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CuteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093326371391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3) - http://ccon.madonion.com/global/msc3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb04.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_7.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Buckeye_Sam

This has been a busy place lately and we're backed up a few days on responses. Sorry it took so long to get to you.

Make sure that you can VIEW ALL HIDDEN FILES.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitednf32.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [775h36j] iuent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\zeta.exe
C:\WINDOWS\svcproc.exe
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\windows\system32\elitednf32.exe <-- if other similar files beginning with elite are found delete them also
C:\Program Files\CxtPls
C:\Program Files\Common Files\WinTools


Reboot your computer to go back to normal mode and post a new log.

rocu

Thanks for your reply Buckeye_Sam.

Since my original post I've been through a few stages. I found an automated Hijack Log File reader (hjt.iamnotageek.com), Microsoft's beta AntiSpyWare utility, Panda online virus and spyware scan, Spyware Blaster and a few others, all of which found things. In my zeal to eradicate this pest I must have deleted some things that I shouldn't have and I ended up doing a repair install of XP.

I am right now in the middle of another scan with Panda and it has found a couple of infected files. When it is done I'll finish updating windows and then start following your advice.

I greatly appreciate your help. My next step would have been a reformat.

Roy

rocu

I found and deleted VCMnet11.exe otherwise I was clean.

Here is my most recent Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:16:27 AM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system\gtxfve.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\hijackthis_199\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CuteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093326371391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3) - http://ccon.madonion.com/global/msc3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb04.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_7.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Buckeye_Sam

Fix this line with Hijackthis, reboot and post a new log.

O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe

rocu

Buckeye_Sam wrote:

Fix this line with Hijackthis, reboot and post a new log.

O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe

Must have missed this the last time. Thanks for spotting it. On reboot, Microsoft AntiSpyware caught it trying to load and asked me if I wanted to block it. I did.

Here is the new log.

Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 8:04:26 PM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system\gtxfve.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Hijack This\hijackthis_199\HijackThis.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CuteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093326371391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3) - http://ccon.madonion.com/global/msc3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb04.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_7.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Buckeye_Sam

Your log is clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
   
   You can find instructions on how to enable and reenable system restore here:
   
   Managing Windows Millenium System Restore
   
   or
   
   Windows XP System Restore Guide
   
   Renable system restore with instructions from tutorial above
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
   
   
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   
   Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
   
   
8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   
   Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
   
   
9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer from Spyware and Malware
   
   
10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

rocu

Sam,

My log may be clean but I am still getting pop ups, even with Fire Fox. It is much better than before but I don't think I'm cured. Any advice?

I have seen your excellent summary about how to protect yourself at the end of other threads and I have already implemented your suggestions. Thanks

Roy

rocu

BTW, I just tried to find out how to contribute to the site and I have to say it is just awsome that you don't accept donations. When I stat Folding at Home, you will be my team.

If you ever do start accepting donations, let me know. Or you could PM me and tell me where to send a Pizza.

Roy

Buckeye_Sam

Hold on to that pizza money til we get you cleaned up for sure.

If you're still getting popups it's very possible that there's something that just doesn't show up on your log. There is an online virus scan that does a very good job of detecting these files. It won't delete them but it will produce a report that lists everything that it finds so that you can go back and delete the files manually.

Panda Virus Scan

Reboot when the scan is done and post a new hijackthis log and the info from your virus scan.

rocu

I tried Panda early in this process but it locked up after about three hours. I'll start a scan when I get home from work tonight and see if I have any better luck this time.

Roy

Buckeye_Sam

Let me know if it doesn't work for you. There are other options.

rocu

Sam,

I've been away for the holiday. Hope you had a good one too.

Panda found a registry key: HKEY_CURRENT_USERS\Software\Microsoft\Search Assistant\ACMru\5603 that has several entries in it, among them vcmnet11.exe, wintools, cxtpls, elite, wintask.exe, exp.exe, zeta.exe, nail.exe and three marketing32 installers.

Should I delete this key? I am hesitant to do so without knowing how to back up the registry. The new 1.06 AdAware finds vcmnet11.exe every time I boot up.

Here is my current hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 8:15:58 PM, on 5/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system\gtxfve.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\hijackthis_199\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CuteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093326371391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3) - http://ccon.madonion.com/global/msc3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb04.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_7.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Thanks again for your help.

Roy

Buckeye_Sam

I would not delete anything from your registry unless you are absolutely sure what you are doing.


Please remove this entry from Add/Remove Programs in the Control Panel(if present):

Windows AFA Internet Enhancement



Download mwav.exe from MicroWorld, then:

- Double-click the mwav.exe icon to run it (it'll self extract).
- When it opens, check the following:
---- Memory
---- Registry
---- Startup Folders
---- System Folders
---- Services
---- Drive
---- All local drives
---- Scan all files

- Then click on SCAN

When it completes, post back the results (copy and paste) from the 'Virus log information' pane.

rocu

No AFA Internet in Add/Remove.

MWAV indicates 29 viruses found.

Here is the log.

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\popcaploader.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\System32\iuctl.dll". Action Taken: No Action Taken.
File C:\WINDOWS\system32\KILLAPPS.EXE tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File C:\Documents and Settings\Mud\My Documents\Downloads\System\Drivers\Printer\Lexmark\CJXP73LE\CJXP73LE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Mud\My Documents\Downloads\System\Drivers\Printer\Lexmark\CJXP73LE\scan\setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Mud\My Documents\Downloads\System\Drivers\Printer\Lexmark\CJXP73LE\scan\SETUPX73PART2.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Mud\My Documents\Downloads\System\Drivers\Printer\Lexmark\newdriver&uninstall\CJXP73LE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Mud\My Documents\Downloads\System\Drivers\Sound\LiveDrvPack.exe tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File C:\Documents and Settings\Mud\My Documents\Downloads\System\Drivers\Sound\LiveDrvUni-Pack(ENG).exe tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File C:\Documents and Settings\Mud\My Documents\Downloads\System\Drivers\Zip Drive\ioware-w32-x86-402.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Downloads\Programs\abc programs\mp5eval.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Downloads\Programs\abc programs\notation.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Downloads\Programs\malware\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Downloads\Programs\malware\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Downloads\Programs\Note Worthy\eval-nwc175b.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Downloads\System\Drivers\Printer\Lexmark\CJXP73LE\CJXP73LE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Downloads\System\Drivers\Printer\Lexmark\CJXP73LE\scan\setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Downloads\System\Drivers\Printer\Lexmark\CJXP73LE\scan\SETUPX73PART2.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Downloads\System\Drivers\Printer\Lexmark\newdriver&uninstall\CJXP73LE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Downloads\System\Drivers\Sound\LiveDrvPack.exe tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File C:\Downloads\System\Drivers\Sound\LiveDrvUni-Pack(ENG).exe tagged as not-a-virus:Tool.Win32.KillApp.b. No Action Taken.
File C:\Downloads\System\Drivers\Zip Drive\ioware-w32-x86-402.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Lxkx73\scan\setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Lxkx73\scan\SETUPX73PART2.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\DriveIcons\imghr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\LexmarkX73\RemoveX73.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\LexmarkX73\SETUPX73PART2.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\LexmarkX73\X73Twain.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Buckeye_Sam

What problems are you still having? Please post a new hijackthis log.

rocu

Problems:
Floods of popups.
Regular NAV notices that it has caught alwayup trojan.
Programs blocked regularly by MS AntiSpy.

I am also having random lock ups and spontaneous reboots but that may be a seperate issue with my video card and/or drivers. It mostly happens during 3D games.

Here is the current hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 3:54:36 PM, on 6/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system\gtxfve.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\hijackthis_199\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CuteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093326371391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3) - http://ccon.madonion.com/global/msc3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb04.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_7.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again.
Roy

Buckeye_Sam

There is nothing in your log or in the mwav scan that indicates malware.

Download, unzip and run ScheduledTasks.bat (courtesy of ddeerrff), and when notepad comes up, post the contents back to this thread.
http://downloads.malwareremoval.com/scheduledtasks.zip



Please download the latest release(1.4) of Spybot and run it.
http://www.spybot.info/en/download/index.html

If it crashes or freezes up, try running it in Safe mode. Let me know what if finds.

rocu

SpyBot found something called Pacimedia. I used the Fix Problems option. It did not find this yesterday.

Here is the log from ScheduledTasks:

Volume in drive C is Main Drive
Volume Serial Number is F07D-1C3D

Directory of c:\windows\tasks

05/23/2005 12:06 AM <DIR> .
05/23/2005 12:06 AM <DIR> ..
08/23/2001 06:00 AM 65 desktop.ini
06/03/2005 08:00 PM 544 Norton AntiVirus - Scan my computer.job
11/21/2003 06:33 PM 276 Norton SystemWorks One Button Checkup.job
06/04/2005 08:38 PM 6 SA.DAT
06/04/2005 12:00 AM 304 Symantec Drmc.job
06/04/2005 08:23 PM 360 Symantec NetDetect.job
6 File(s) 1,555 bytes
2 Dir(s) 49,332,928,512 bytes free
--
HR C:\windows\tasks\desktop.ini
A C:\windows\tasks\Norton AntiVirus - Scan my computer.job
A C:\windows\tasks\Norton SystemWorks One Button Checkup.job
A H C:\windows\tasks\SA.DAT
A C:\windows\tasks\Symantec Drmc.job
A C:\windows\tasks\Symantec NetDetect.job

What do you think?

Roy

rocu

Every time I boot, NAV finds and deletes VCMnet11.exe and VCMnet11[1].exe.

Roy

Buckeye_Sam

Still struggling to find something we can act on.

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot your computer into Safe Mode


Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply.


==================================================



Please download FindQoologic from here:
http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.



==================================================



Show me a new hijackthis log. Is Microsoft Antispyware still finding things? Is so, what does it find?

rocu

1. NAV finds VCMnet11.exe and VCMnet11[1].exe on erery boot.

2. Here is the rkfiles log:

C:\Program Files\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............

---

C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\system32\DivX.dll: PEC2

Files Found in all users startup Folder............

---

Files Found in all users windows Folder............

---

C:\WINDOWS\MEMORY.DMP: UPX!
C:\WINDOWS\MEMORY.DMP: UPX!-
C:\WINDOWS\MEMORY.DMP: UPX!-
C:\WINDOWS\MEMORY.DMP: ',',s_isf,t))s_fsg+=(s_fsg!=''?',':''RCRD(
C:\WINDOWS\MEMORY.DMP: FSG!-
C:\WINDOWS\MEMORY.DMP: FSG!-
C:\WINDOWS\MEMORY.DMP: efsg!>!#ztuf#
C:\WINDOWS\MEMORY.DMP: efsg!>!#ztuf#
C:\WINDOWS\MEMORY.DMP: FSG!-
Finished
bye

3. NAV calls Find-Qoologic2.bat a "known malicious script". I did not run it. Should I ignore NAV about this?

4. Microsoft AntiSpy finds AFA Internet Enhancement in my registry. This is after NAV has removed VCMnet11.exe. AFA still does not show up in the Add/Remove programs applet. While on the internet it often tells me it is blocking programs from running.

5. AdAware finds tracking cookies.

6. Here is a current hjt log, after removing AFA and VCM:

Logfile of HijackThis v1.99.1
Scan saved at 11:14:38 PM, on 6/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system\gtxfve.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hijack This\hijackthis_199\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CuteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093326371391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3) - http://ccon.madonion.com/global/msc3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb04.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livesc02.custhelp.com/6030-b463h-iomega/rnl/java/RntX.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_7.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Buckeye_Sam

Does NAV produce a log that you can post? Please post it if it does. If not, what is the location of the two files it keeps finding?


You can run Find-qoologic.bat
There's nothing malicious about it.

rocu

1. Nav log and Find_Qoologic log later in post.

2. NAV finds them here: C:\WINDOWS\VCMnet11.exe
and here: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\VCMnet11[1].exe
and sometimes here: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\MDFE866T\VCMnet11[1].exe

3. MS AntiSpy finds a registry key for AFA

4. If I clean them, unplug my dsl router and reboot, they are not there. IfI reconnect and reboot, they are back. Seems like something is connecting to somewhere to get them.

5. Here arethe logs:
FindQoologic:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
<NO NAME> REG_SZ {57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Context Menu
<NO NAME> REG_SZ {4DD05C19-333A-4463-8CA7-BCC83D571F13}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
<NO NAME> REG_SZ {5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
<NO NAME> REG_SZ {5464D816-CF16-4784-B9F3-75C0DB52B499}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

NAV:

Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\VCMnet11[1].exe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\VCMnet11[1].exe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\MDFE866T\VCMnet11[1].exe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\MDFE866T\VCMnet11[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\FPZRSB34\crs[2].ani
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\FPZRSB34\crs[2].ani
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\dir45032326[1].htm
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\FPZRSB34\crs[1].ani
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\FPZRSB34\crs[1].ani
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\YQR1TL4N\dir45032326[1].htm
Source: C:\Documents and Settings\Mud\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-1dae5613.zip
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\crs[1].ani
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\crs[1].ani
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\dir45032326[1].htm
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\MDFE866T\VCMnet11[1].exe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\VCMnet11[1].exe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\VCMnet11[1].exe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\THJGBZ9T\VCMnet11[1].exe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\MDFE866T\VCMnet11[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\MDFE866T\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\MDFE866T\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\FPZRSB34\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\FPZRSB34\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\G1QNCHIN\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\G1QNCHIN\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\KJK345O7\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\KJK345O7\aun_0035[1].exe
,Threat category: AdwareSource: C:\WINDOWS\system32\weirdontheweb_ventura.exe,Description: The file C:\WINDOWS\system32\weirdontheweb_ventura.exe is a Adware threat.
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\KJK345O7\VCMnet11[1].exe
Source: C:\Documents and Settings\Mud\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-5fa973e1-7949a57e.zip
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\AL2N4HMJ\dir45032326[1].htm
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\A3OHGT4N\aun_0035[2].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\A3OHGT4N\aun_0035[2].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\WHM38DM3\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\WHM38DM3\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\A3OHGT4N\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\A3OHGT4N\aun_0035[1].exe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\A3OHGT4N\VCMnet11[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\A3OHGT4N\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\A3OHGT4N\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\K52GUOWU\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\K52GUOWU\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\V4NTZ2LI\aun_0027[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\V4NTZ2LI\aun_0027[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\Q1QYHWXR\aun_0027[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\Q1QYHWXR\aun_0027[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\F18C1N9J\aun_0035[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\F18C1N9J\aun_0035[1].exe
,Threat category: AdwareSource: C:\WINDOWS\Temp\DUpJOsoz.exe,Description: The file C:\WINDOWS\Temp\DUpJOsoz.exe is a Adware threat.
,Threat category: Security riskSource: C:\WINDOWS\system32\wintask.exe,Description: The file C:\WINDOWS\system32\wintask.exe is a Security risk threat.
,Threat category: AdwareSource: C:\WINDOWS\system32\temperror32.dat,Description: The file C:\WINDOWS\system32\temperror32.dat is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/NaviSearch/bin/nls.exe,Description: The compressed file C:/Program Files/NaviSearch/bin/nls.exe within C:\WINDOWS\system32\javex80.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/nvms.dll,Description: The compressed file C:/WINDOWS/system32/nvms.dll within C:\WINDOWS\system32\javex80.vxd is a Adware threat.
,Threat category: Security riskSource: C:\WINDOWS\system32\exp.exe,Description: The file C:\WINDOWS\system32\exp.exe is a Security risk threat.
,Threat category: AdwareSource: C:\WINDOWS\Nail.exe,Description: The file C:\WINDOWS\Nail.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp\WToolsS.exe,Description: The file C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp\WToolsS.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq98.tmp,Description: The file C:\Program Files\Yahoo!\YPSR\Quarantine\ppq98.tmp is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp\WToolsB.dll,Description: The file C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp\WToolsB.dll is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Yahoo!\YPSR\Quarantine\ppq97.tmp,Description: The file C:\Program Files\Yahoo!\YPSR\Quarantine\ppq97.tmp is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\FwBarTemp\searchbar.exe,Description: The file C:\Program Files\FwBarTemp\searchbar.exe is a Adware threat.
,Threat category: AdwareSource: C:\Program Files\Common Files\WinTools\WToolsB.dll,Description: The file C:\Program Files\Common Files\WinTools\WToolsB.dll is a Adware threat.
,Threat category: AdwareSource: C:\WINDOWS\Temp\DUpJOsoz.exe,Description: The file C:\WINDOWS\Temp\DUpJOsoz.exe is a Adware threat.
,Threat category: Security riskSource: C:\WINDOWS\system32\wintask.exe,Description: The file C:\WINDOWS\system32\wintask.exe is a Security risk threat.
,Threat category: AdwareSource: C:\WINDOWS\system32\Usgkjf.exe,Description: The file C:\WINDOWS\system32\Usgkjf.exe is a Adware threat.
,Threat category: AdwareSource: C:\WINDOWS\system32\temperror32.dat,Description: The file C:\WINDOWS\system32\temperror32.dat is a Adware threat.
,Threat category: AdwareSource: C:\WINDOWS\system32\main.exe,Description: The file C:\WINDOWS\system32\main.exe is a Adware threat.
,Threat category: AdwareSource: C:/Program Files/NaviSearch/bin/nls.exe,Description: The compressed file C:/Program Files/NaviSearch/bin/nls.exe within C:\WINDOWS\system32\javex80.vxd is a Adware threat.
,Threat category: AdwareSource: C:/WINDOWS/system32/nvms.dll,Description: The compressed file C:/WINDOWS/system32/nvms.dll within C:\WINDOWS\system32\javex80.vxd is a Adware threat.
,Threat category: Security riskSource: C:\WINDOWS\system32\installer_MARKETING18.exe,Description: The file C:\WINDOWS\system32\installer_MARKETING18.exe is a Security risk threat.
,Threat category: AdwareSource: C:\WINDOWS\system32\installer_MARKETING18.exe,Description: The file C:\WINDOWS\system32\installer_MARKETING18.exe is a Adware threat.
,Threat category: AdwareSource: C:\WINDOWS\system32\Fyljty.exe,Description: The file C:\WINDOWS\system32\Fyljty.exe is a Adware threat.
,Threat category: Security riskSource: C:\WINDOWS\system32\exp.exe,Description: The file C:\WINDOWS\system32\exp.exe is a Security risk threat.
,Threat category: AdwareSource: C:\WINDOWS\system32\EDow_AS2.exe,Description: The file C:\WINDOWS\system32\EDow_AS2.exe is a Adware threat.
,Threat category: SpywareSource: C:\WINDOWS\system32\cxtpls_loader.exe,Description: The file C:\WINDOWS\system32\cxtpls_loader.exe is a Spyware threat.
,Threat category: AdwareSource: C:\WINDOWS\Nail.exe,Description: The file C:\WINDOWS\Nail.exe is a Adware threat.
,Threat category: AdwareSource: C:\WINDOWS\system32\bs51-eginwl51-vb.exe,Description: The file C:\WINDOWS\system32\bs51-eginwl51-vb.exe is a Adware threat.
,Threat category: AdwareSource: C:\WINDOWS\aqocctlcd.exe,Description: The file C:\WINDOWS\aqocctlcd.exe is a Adware threat.
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\NY4FFPGL\webcam-plugin[1].exe
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\YP5M721G\shellscript[1].js
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\YP5M721G\shellscript[1].js
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\OBR3ECD9\VerifierBug[1].class
Source: Installer.class,Description: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\D4WFDDGP\classload[1].jar
Source: Dummy.class,Description: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\D4WFDDGP\classload[1].jar
Source: InsecureClassLoader.class,Description: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\D4WFDDGP\classload[1].jar
Source: GetAccess.class,Description: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\D4WFDDGP\classload[1].jar
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\735RRT0W\BlackBox[1].class
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\NY4FFPGL\installer[1].htm
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\01ERG567\hny[1].htm
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\YHCRILQ5\****[1].htm
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\NY4FFPGL\exploit[1].htm
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\YHCRILQ5\****[1].htm
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\NY4FFPGL\exploit[1].htm
Source: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\NY4FFPGL\exploit[2].htm
Source: document.pif,Description: C:\Documents and Settings\Mud\Local Settings\Temporary Internet Files\Content.IE5\W9AZ0D2F\ShowLetter[1]

Buckeye_Sam

Please download, install, and run Cleanup 4.0
http://cleanup.stevengould.org/


Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

• Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
  
  C:\WINDOWS\VCMnet11.exe
  C:\WINDOWS\system32\weirdontheweb_ventura.exe
  C:\WINDOWS\system32\wintask.exe
  C:\WINDOWS\system32\temperror32.dat
  C:\Program Files\NaviSearch
  C:\WINDOWS\system32\javex80.vxd
  C:\WINDOWS\system32\exp.exe
  C:\WINDOWS\Nail.exe
  C:\Program Files\FwBarTemp
  C:\Program Files\Common Files\WinTools
  C:\WINDOWS\system32\Usgkjf.exe
  C:\WINDOWS\system32\temperror32.dat
  C:\WINDOWS\system32\main.exe
  C:\WINDOWS\system32\installer_MARKETING18.exe
  C:\WINDOWS\system32\Fyljty.exe
  C:\WINDOWS\system32\exp.exe
  C:\WINDOWS\system32\EDow_AS2.exe
  C:\WINDOWS\system32\cxtpls_loader.exe
  C:\WINDOWS\system32\bs51-eginwl51-vb.exe
  
  

[*]Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
[*]Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Your system will reboot now.



Next, scan with Spybot Search and Destroy:

1. Download the latest version of Spybot from either:
* http://www.safer-networking.org/en/download/index.html
* http://www.spybot.info/en/mirrors/index.html
2. Install spybot and by default is should install into C:\Program Files\Spybot - Search & Destroy.
3. Run Spybot by clicking on "Start" => "Programs" => "Spybot - Search & Destroy" => "Spybot - Search & Destroy".
4. The first time you run it, allow it to create a backup of your registry when prompted. This will take a few minutes to complete.
5. Click on "Search for Updates".
6. If any updates are found, place a check mark next to each and click on "Download Updates".
7. Click on "Immunize" and once it detect what has or has not been blocked, block all remaining items by clicking on the green plus sign next to immunize at the top.
8. Click on "Search & Destroy" => "Check for Problems".
9. If any problems are found, be sure to click on "Fix Selected Problems."



Reboot and post a new hijackthis log, new log from your virus scan, and let me know how things are going now.

rocu

Sam,

CleanUp4.0 took 280megs from my drive. Yikes!

Paste from clipboard didn't work with KillBox. I did them all one at a time. After reboot, they were akl gone.

SpyBot found no threats but there were a few new entries to the "immunize" list.

Unfortunately, NAV keeps finding the two VCM files at boot and MS AntiSpy finds a registry entry for AFA.

It seems like I can be on the net with no problems for about 30 min, then I get a dozen or so popups, then again every 30 min or so.

Here are the logs you asked for, thanks for putting your energy into this problem for me.

NAV:

Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\X44OPCE0\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\X44OPCE0\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\JQOG59DH\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\JQOG59DH\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\UX6V4PIN\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\MDFE866T\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\THJGBZ9T\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\THJGBZ9T\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\MDFE866T\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\MDFE866T\VCMnet11[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\FPZRSB34\crs[2].ani
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\FPZRSB34\crs[2].ani
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\THJGBZ9T\dir45032326[1

].htm
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\FPZRSB34\crs[1].ani
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\FPZRSB34\crs[1].ani
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\YQR1TL4N\dir45032326[1

].htm
Source: C:\Documents and

Settings\Mud\Application

Data\Sun\Java\Deployment\cache\javapi\v1

.0\jar\msjld.jar-5fa973e1-1dae5613.zip
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\THJGBZ9T\crs[1].ani
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\THJGBZ9T\crs[1].ani
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\THJGBZ9T\dir45032326[1

].htm
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\MDFE866T\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\THJGBZ9T\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\THJGBZ9T\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\THJGBZ9T\VCMnet11[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\MDFE866T\VCMnet11[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\MDFE866T\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\MDFE866T\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\FPZRSB34\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\FPZRSB34\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\G1QNCHIN\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\G1QNCHIN\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\KJK345O7\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\KJK345O7\aun_0035[1].e

xe
,Threat category: AdwareSource:

C:\WINDOWS\system32\weirdontheweb_ventur

a.exe,Description: The file

C:\WINDOWS\system32\weirdontheweb_ventur

a.exe is a Adware threat.
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\KJK345O7\VCMnet11[1].e

xe
Source: C:\Documents and

Settings\Mud\Application

Data\Sun\Java\Deployment\cache\javapi\v1

.0\jar\msjld.jar-5fa973e1-7949a57e.zip
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\AL2N4HMJ\dir45032326[1

].htm
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\A3OHGT4N\aun_0035[2].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\A3OHGT4N\aun_0035[2].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\WHM38DM3\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\WHM38DM3\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\A3OHGT4N\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\A3OHGT4N\aun_0035[1].e

xe
Source: C:\WINDOWS\VCMnet11.exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\A3OHGT4N\VCMnet11[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\A3OHGT4N\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\A3OHGT4N\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\K52GUOWU\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\K52GUOWU\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\V4NTZ2LI\aun_0027[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\V4NTZ2LI\aun_0027[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\Q1QYHWXR\aun_0027[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\Q1QYHWXR\aun_0027[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\F18C1N9J\aun_0035[1].e

xe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\F18C1N9J\aun_0035[1].e

xe
,Threat category: AdwareSource:

C:\WINDOWS\Temp\DUpJOsoz.exe,Description

: The file C:\WINDOWS\Temp\DUpJOsoz.exe

is a Adware threat.
,Threat category: Security riskSource:

C:\WINDOWS\system32\wintask.exe,Descript

ion: The file

C:\WINDOWS\system32\wintask.exe is a

Security risk threat.
,Threat category: AdwareSource:

C:\WINDOWS\system32\temperror32.dat,Desc

ription: The file

C:\WINDOWS\system32\temperror32.dat is a

Adware threat.
,Threat category: AdwareSource:

C:/Program

Files/NaviSearch/bin/nls.exe,Description

: The compressed file C:/Program

Files/NaviSearch/bin/nls.exe within

C:\WINDOWS\system32\javex80.vxd is a

Adware threat.
,Threat category: AdwareSource:

C:/WINDOWS/system32/nvms.dll,Description

: The compressed file

C:/WINDOWS/system32/nvms.dll within

C:\WINDOWS\system32\javex80.vxd is a

Adware threat.
,Threat category: Security riskSource:

C:\WINDOWS\system32\exp.exe,Description:

The file C:\WINDOWS\system32\exp.exe is

a Security risk threat.
,Threat category: AdwareSource:

C:\WINDOWS\Nail.exe,Description: The

file C:\WINDOWS\Nail.exe is a Adware

threat.
,Threat category: AdwareSource:

C:\Program

Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp\W

ToolsS.exe,Description: The file

C:\Program

Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp\W

ToolsS.exe is a Adware threat.
,Threat category: AdwareSource:

C:\Program

Files\Yahoo!\YPSR\Quarantine\ppq98.tmp,D

escription: The file C:\Program

Files\Yahoo!\YPSR\Quarantine\ppq98.tmp

is a Adware threat.
,Threat category: AdwareSource:

C:\Program

Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp\W

ToolsB.dll,Description: The file

C:\Program

Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp\W

ToolsB.dll is a Adware threat.
,Threat category: AdwareSource:

C:\Program

Files\Yahoo!\YPSR\Quarantine\ppq97.tmp,D

escription: The file C:\Program

Files\Yahoo!\YPSR\Quarantine\ppq97.tmp

is a Adware threat.
,Threat category: AdwareSource:

C:\Program

Files\FwBarTemp\searchbar.exe,Descriptio

n: The file C:\Program

Files\FwBarTemp\searchbar.exe is a

Adware threat.
,Threat category: AdwareSource:

C:\Program Files\Common

Files\WinTools\WToolsB.dll,Description:

The file C:\Program Files\Common

Files\WinTools\WToolsB.dll is a Adware

threat.
,Threat category: AdwareSource:

C:\WINDOWS\Temp\DUpJOsoz.exe,Description

: The file C:\WINDOWS\Temp\DUpJOsoz.exe

is a Adware threat.
,Threat category: Security riskSource:

C:\WINDOWS\system32\wintask.exe,Descript

ion: The file

C:\WINDOWS\system32\wintask.exe is a

Security risk threat.
,Threat category: AdwareSource:

C:\WINDOWS\system32\Usgkjf.exe,Descripti

on: The file

C:\WINDOWS\system32\Usgkjf.exe is a

Adware threat.
,Threat category: AdwareSource:

C:\WINDOWS\system32\temperror32.dat,Desc

ription: The file

C:\WINDOWS\system32\temperror32.dat is a

Adware threat.
,Threat category: AdwareSource:

C:\WINDOWS\system32\main.exe,Description

: The file C:\WINDOWS\system32\main.exe

is a Adware threat.
,Threat category: AdwareSource:

C:/Program

Files/NaviSearch/bin/nls.exe,Description

: The compressed file C:/Program

Files/NaviSearch/bin/nls.exe within

C:\WINDOWS\system32\javex80.vxd is a

Adware threat.
,Threat category: AdwareSource:

C:/WINDOWS/system32/nvms.dll,Description

: The compressed file

C:/WINDOWS/system32/nvms.dll within

C:\WINDOWS\system32\javex80.vxd is a

Adware threat.
,Threat category: Security riskSource:

C:\WINDOWS\system32\installer_MARKETING1

8.exe,Description: The file

C:\WINDOWS\system32\installer_MARKETING1

8.exe is a Security risk threat.
,Threat category: AdwareSource:

C:\WINDOWS\system32\installer_MARKETING1

8.exe,Description: The file

C:\WINDOWS\system32\installer_MARKETING1

8.exe is a Adware threat.
,Threat category: AdwareSource:

C:\WINDOWS\system32\Fyljty.exe,Descripti

on: The file

C:\WINDOWS\system32\Fyljty.exe is a

Adware threat.
,Threat category: Security riskSource:

C:\WINDOWS\system32\exp.exe,Description:

The file C:\WINDOWS\system32\exp.exe is

a Security risk threat.
,Threat category: AdwareSource:

C:\WINDOWS\system32\EDow_AS2.exe,Descrip

tion: The file

C:\WINDOWS\system32\EDow_AS2.exe is a

Adware threat.
,Threat category: SpywareSource:

C:\WINDOWS\system32\cxtpls_loader.exe,De

scription: The file

C:\WINDOWS\system32\cxtpls_loader.exe is

a Spyware threat.
,Threat category: AdwareSource:

C:\WINDOWS\Nail.exe,Description: The

file C:\WINDOWS\Nail.exe is a Adware

threat.
,Threat category: AdwareSource:

C:\WINDOWS\system32\bs51-eginwl51-vb.exe

,Description: The file

C:\WINDOWS\system32\bs51-eginwl51-vb.exe

is a Adware threat.
,Threat category: AdwareSource:

C:\WINDOWS\aqocctlcd.exe,Description:

The file C:\WINDOWS\aqocctlcd.exe is a

Adware threat.
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\NY4FFPGL\webcam-plugin

[1].exe
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\YP5M721G\shellscript[1

].js
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\YP5M721G\shellscript[1

].js
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\OBR3ECD9\VerifierBug[1

].class
Source: Installer.class,Description:

C:\Documents and Settings\Mud\Local

Settings\Temporary Internet

Files\Content.IE5\D4WFDDGP\classload[1].

jar
Source: Dummy.class,Description:

C:\Documents and Settings\Mud\Local

Settings\Temporary Internet

Files\Content.IE5\D4WFDDGP\classload[1].

jar
Source:

InsecureClassLoader.class,Description:

C:\Documents and Settings\Mud\Local

Settings\Temporary Internet

Files\Content.IE5\D4WFDDGP\classload[1].

jar
Source: GetAccess.class,Description:

C:\Documents and Settings\Mud\Local

Settings\Temporary Internet

Files\Content.IE5\D4WFDDGP\classload[1].

jar
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\735RRT0W\BlackBox[1].c

lass
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\NY4FFPGL\installer[1].

htm
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\01ERG567\hny[1].htm
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\YHCRILQ5\****[1].htm
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\NY4FFPGL\exploit[1].ht

m
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\YHCRILQ5\****[1].htm
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\NY4FFPGL\exploit[1].ht

m
Source: C:\Documents and

Settings\Mud\Local Settings\Temporary

Internet

Files\Content.IE5\NY4FFPGL\exploit[2].ht

m
Source: document.pif,Description:

C:\Documents and Settings\Mud\Local

Settings\Temporary Internet

Files\Content.IE5\W9AZ0D2F\ShowLetter[1]


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:58:16 PM, on 6/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\taskswitch.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system\gtxfve.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
C:\Program Files\WallpaperToy\Wallpapertoy.Exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\hijackthis_199\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Wallpaper Changer.lnk = C:\Program Files\WallpaperToy\Wallpapertoy.Exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: CuteShield Internet Eraser - {4A0EF50C-6A4A-4b30-84D8-53D5BC95C043} - C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093326371391
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3) - http://ccon.madonion.com/global/msc3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://playweb04.pogo.com/game/deluxe/zuma/popcaploader_v6.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livesc02.custhelp.com/6030-b463h-iomega/rnl/java/RntX.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_0_2_7.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

rocu

I have a process running called gtxfve.exe. I can't find it in any database and when I google it, the only hit is this thread, presumably from a previous log. Any ideas?

Roy

rocu

There is another process called LUCOMS~1.exe, not lvcoms. Hmmmmm

Roy

Nevermind, this is LiveUpdate from Symantic.

Buckeye_Sam

Submit C:\WINDOWS\system\gtxfve.exe to this site and let me know what it returns.

http://virusscan.jotti.org/

rocu

Jackpot!

If the screenshot is hard to read, it says:
INFECTED/MALWARE,
Heuristic/Trojan.Downloader (probable variant),
Win32:Adan-068,
Trojan.Click.523,
W32/Registrator.B-tr,
Trojan-Downloader.Win32.Small.ayh.

So, how do we nuke it?

Roy

doctoru2

Hi:

I joined this forum just to post in this thread.

Just like Roy, the other day I sadly clicked on an Active X link from what I thought was a trusted website. I had been to that website many times before, so I didn't think twice about clicking it. Ever since, I have encountered all of the problems Roy has discussed. I have several anti-spyware, anti-adware and anti-virus programs - all do nothing! Norton will tell me that I have the VCMnet11.exe virus, but it won't delete it. I've tried all the other programs recommended here and even a few other ones to remove the adware, spyware and virus. Nothing works. This virus is either embedded deep or it fools all these other programs into thinking it's gone, but it's not.

So nothing you've suggested Sam works - I can vouch for Roy. This must be a new virus associated with Active X. I'm at the point where I feel like just reformatting my hard drive - it's better than having 1000 pop-ups appear. That's another thing - none of my anti-popup software does anything either. This virus fools everything!