Options
Massive Spyware Infection
Good evening all,
Yesterday my computer was running fine without any signs of spyware installed. However today when I booted up I got prompted with a million spyware infestations (alright the million is an exageration) What's funny is it seems most of the spyware infections are from companies wanting to sell me Spyware removal programs. The most prominent one was Spyfalcon.
Not finding this forum earlier in the day i uninstalled it using the normal add/remove method and went on my way. Except the popups and everything switched from Spyfalcon to SpyGuard.
I have ran Windows Defender which says the system is clean. I have ran Spy Bot, Ad-Aware which cleaned everything and restarted the system but the spyware came back after about 20 minutes. And Spy Bot and Ad-Aware are saying the system is clean. I have also tried running Ewido which found another 100 infections cleaned them and now all 4 programs say the computer is clean and running fine.
However I have noticed the following problems.
-Random "System messages" saying my computer is infected and to buy <insert random spyware program here>
- IE will automatically start every 5-10 minutes and send me to either a spyware removal site (i.e. Spyguard) or give me ad's for casino's or adult phone lines (even if IE is never started)
- IE's homepage is always set to a fake Windows site saying that computer is infected and to download a random spyware removal program
- Text balloons in the tray of the start menu stating my computer is infected and to download a random spyware program.
I am at a complete loss of what to do next besides format or get a new harddrive.
This is my current Hi-Jack This log
Logfile of HijackThis v1.99.1
Scan saved at 7:11:41 PM, on 4/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\system32\RunDLL32.exe
F:\Applications\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
F:\Applications\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\AOL\1142538616\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe
C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET\lsass.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\CROSOF~1.NET\javaw.exe
F:\Applications\Trillian\trillian.exe
F:\Games\FFXI\SquareEnix\PlayOnlineViewer\pol.exe
F:\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.ca/
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5C39.tmp
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\APPLIC~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] F:\Applications\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] F:\Applications\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [VG Signature] F:\Games\VANAGU~1\SIGNAT~1\VGSIGN~1.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142538616\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [IDMan] F:\Applications\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Uahh] "C:\PROGRA~1\CROSOF~1.NET\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Rar] C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET\lsass.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Applications\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Applications\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Links with IDM - F:\Applications\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download using FlashGet - C:\Applications\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with IDM - F:\Applications\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\APPLIC~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\APPLIC~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\APPLIC~1\FlashGet\flashget.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
I have also ran a scan at pandasoftware.com. Which states 4 virus' 19 spyware and 4 hacking tools was detected, as well as 3 suspicious files.
However it says that the 4 virus' have bee disinfected. I am only using the free scan
Anyways what Pandasoftware said
Incident Status Location
Adware:adware/emediacodec Not disinfected C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\Cache\3EFBEAA3d01[smitRem/Process.exe]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[www.spyfalcon.com/]
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[www.advnt01.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.atwola.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.seeq.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[fe.lea.lycos.fr/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[searchportal.information.com/]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7d443d2d-6ae8d57a.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7d443d2d-6ae8d57a.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7d443d2d-6ae8d57a.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7d443d2d-6ae8d57a.zip[Beyond.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-2bc750ff.zip[javainstaller/InstallerApplet.class]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Elizabeth\Cookies\george@stats1.reliablestats[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Elizabeth\Cookies\george@z1.adserver[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Elizabeth\Desktop\click.php[smitRem/Process.exe]
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Elizabeth\Favorites\Antivirus Test Online.url
Possible Virus. Not disinfected C:\Documents and Settings\Elizabeth\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Elizabeth\Local Settings\Temp\win57.tmp.exe
Possible Virus. Not disinfected C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET\lsass.exe
Possible Virus. Not disinfected C:\Program Files\??crosoft.NET\javaw.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\WINDOWS\Temp\sa484.exe[SpyFalcon.exe]
Adware:Adware/Alexa-Toolbar Not disinfected F:\Setup_RC1.exe
Attached to this post is the .txt file from the Pandasoftware activescan. (posted above but didnt turn out to well)
So can anyone help or offer advice on how to clean this so I don't get told to go buy Spyguard for the thousandth time in 10 minutes?
Thank you to anyone who can help
Elizabeth
Yesterday my computer was running fine without any signs of spyware installed. However today when I booted up I got prompted with a million spyware infestations (alright the million is an exageration) What's funny is it seems most of the spyware infections are from companies wanting to sell me Spyware removal programs. The most prominent one was Spyfalcon.
Not finding this forum earlier in the day i uninstalled it using the normal add/remove method and went on my way. Except the popups and everything switched from Spyfalcon to SpyGuard.
I have ran Windows Defender which says the system is clean. I have ran Spy Bot, Ad-Aware which cleaned everything and restarted the system but the spyware came back after about 20 minutes. And Spy Bot and Ad-Aware are saying the system is clean. I have also tried running Ewido which found another 100 infections cleaned them and now all 4 programs say the computer is clean and running fine.
However I have noticed the following problems.
-Random "System messages" saying my computer is infected and to buy <insert random spyware program here>
- IE will automatically start every 5-10 minutes and send me to either a spyware removal site (i.e. Spyguard) or give me ad's for casino's or adult phone lines (even if IE is never started)
- IE's homepage is always set to a fake Windows site saying that computer is infected and to download a random spyware removal program
- Text balloons in the tray of the start menu stating my computer is infected and to download a random spyware program.
I am at a complete loss of what to do next besides format or get a new harddrive.
This is my current Hi-Jack This log
Logfile of HijackThis v1.99.1
Scan saved at 7:11:41 PM, on 4/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\system32\RunDLL32.exe
F:\Applications\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
F:\Applications\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\AOL\1142538616\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe
C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET\lsass.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\CROSOF~1.NET\javaw.exe
F:\Applications\Trillian\trillian.exe
F:\Games\FFXI\SquareEnix\PlayOnlineViewer\pol.exe
F:\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.ca/
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5C39.tmp
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\APPLIC~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] F:\Applications\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] F:\Applications\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [VG Signature] F:\Games\VANAGU~1\SIGNAT~1\VGSIGN~1.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142538616\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [IDMan] F:\Applications\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Uahh] "C:\PROGRA~1\CROSOF~1.NET\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Rar] C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET\lsass.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Applications\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Applications\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Links with IDM - F:\Applications\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download using FlashGet - C:\Applications\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with IDM - F:\Applications\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\APPLIC~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\APPLIC~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\APPLIC~1\FlashGet\flashget.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
I have also ran a scan at pandasoftware.com. Which states 4 virus' 19 spyware and 4 hacking tools was detected, as well as 3 suspicious files.
However it says that the 4 virus' have bee disinfected. I am only using the free scan
Anyways what Pandasoftware said
Incident Status Location
Adware:adware/emediacodec Not disinfected C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\Cache\3EFBEAA3d01[smitRem/Process.exe]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.advertising.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Spyfalcon Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[www.spyfalcon.com/]
Spyware:Cookie/Advnt Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[www.advnt01.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.atwola.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.errorsafe.com/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[.seeq.com/]
Spyware:Cookie/fe.lea.lycos Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[fe.lea.lycos.fr/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt[searchportal.information.com/]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7d443d2d-6ae8d57a.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7d443d2d-6ae8d57a.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7d443d2d-6ae8d57a.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-7d443d2d-6ae8d57a.zip[Beyond.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Elizabeth\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-2bc750ff.zip[javainstaller/InstallerApplet.class]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Elizabeth\Cookies\george@stats1.reliablestats[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Elizabeth\Cookies\george@z1.adserver[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Elizabeth\Desktop\click.php[smitRem/Process.exe]
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Elizabeth\Favorites\Antivirus Test Online.url
Possible Virus. Not disinfected C:\Documents and Settings\Elizabeth\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Elizabeth\Local Settings\Temp\win57.tmp.exe
Possible Virus. Not disinfected C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET\lsass.exe
Possible Virus. Not disinfected C:\Program Files\??crosoft.NET\javaw.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/SpyFalcon Not disinfected C:\WINDOWS\Temp\sa484.exe[SpyFalcon.exe]
Adware:Adware/Alexa-Toolbar Not disinfected F:\Setup_RC1.exe
Attached to this post is the .txt file from the Pandasoftware activescan. (posted above but didnt turn out to well)
So can anyone help or offer advice on how to clean this so I don't get told to go buy Spyguard for the thousandth time in 10 minutes?
Thank you to anyone who can help
Elizabeth
0
Comments
Run the PurityScan uninstaller.
Download smitRem.zip and save the file to your desktop.
Can also be downloaded from here; http://www.downloads.subratam.org/smitRem.exe
Right click on the file and extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Next, please reboot your computer in SafeMode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:===================================================
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5C39.tmp
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
===================================================
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
Open Ad-aware and do a full scan. Remove all it finds.
Run Ewido:
- Click on scanner
- Click Complete System Scan and the scan will begin.
- During the scan it will prompt you to clean files, click OK
- When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
- When the scan is finished, click the Save report button at the bottom of the screen.
- Save the report to your desktop
Close EwidoNext go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
I have followed the directions indicated except for the hijack this directions
When I booted into safemode these 2 entries were missing
R3 - Default URLSearchHook is missing
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5C39.tmp
All other directions were followed though
Hijackthis Log
Logfile of HijackThis v1.99.1
Scan saved at 3:05:04 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RunDLL32.exe
F:\Applications\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
F:\Applications\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\AOL\1142538616\ee\AOLSoftware.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe
C:\PROGRA~1\CROSOF~1.NET\javaw.exe
C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET\lsass.exe
F:\Applications\Trillian\trillian.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Games\FFXI\SquareEnix\PlayOnlineViewer\pol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BitComet\BitComet.exe
F:\Applications\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\WINDOWS\system32\svchost.exe
C:\DOCUME~1\Elizabeth\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Elizabeth\LOCALS~1\Temp\Adobelm_Cleanup.0001
F:\hijackthis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.google.ca/
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpD63B.tmp (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\APPLIC~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] F:\Applications\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] F:\Applications\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [VG Signature] F:\Games\VANAGU~1\SIGNAT~1\VGSIGN~1.EXE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142538616\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [Panda_cleaner_273674] C:\WINDOWS\system32\ActiveScan\pavdr.exe xPanda ActiveScan 273674
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [IDMan] F:\Applications\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.9\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [Rar] C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET\lsass.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Applications\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Applications\FlashGet\jc_all.htm
O8 - Extra context menu item: Download All Links with IDM - F:\Applications\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download using FlashGet - C:\Applications\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with IDM - F:\Applications\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\APPLIC~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\APPLIC~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\APPLIC~1\FlashGet\flashget.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Smitfiles Log
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 05/03/2006
The current time is: 13:30:54.04
Running from
C:\Documents and Settings\Elizabeth\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1236 'explorer.exe'
Killing PID 1236 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
ewido anti-malware - Scan report
+ Created on: 2:12:36 PM, 5/3/2006
+ Report-Checksum: D6B2024D
+ Scan result:
:mozilla.10:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.147:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.194:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.195:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.198:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.236:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.237:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.253:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.254:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.255:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.256:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.257:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup
:mozilla.260:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.261:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.291:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.292:C:\Documents and Settings\Elizabeth\Application Data\Mozilla\Firefox\Profiles\8p1fa8jw.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
::Report End
Activescan.txt is attached to this post as the contents once again screw up and copy and pasted
C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET C:\Program Files\??crosoft.NET C:\WINDOWS\system32\dcomcfg.exe C:\WINDOWS\system32\regperf.exe C:\WINDOWS\system32\simpole.tlb F:\Setup_RC1.exe
====
Did you run the Purityscan uninstaller as per my last post? If not, please do so.
==
Can you please do the following.
===============
Scan with HiJackThis, then check(tick) the following, if present:
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpD63B.tmp (file missing)
O4 - HKCU\..\Run: [Rar] C:\Documents and Settings\Elizabeth\My Documents\?icrosoft.NET\lsass.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.