Spyware and bad advice

Unknown

Looks like I've picked up some sort of spyware on my computer. On top of that, I tried following some suggestions from a different site, but all that did was further slow down my computer. Here are my symptoms:

When I load up, my desktop flashes black after initially showing my wallpaper for a brief second, then it comes back but is very grainy and my desktop shortcuts are outlined in black. Also, my homepage was initially reset to some random site, but I somehow corrected that. Now, I'm getting tons of pop-ups and really slow performance. Also, the other site I first tried to clean things up advised me to download CC Cleaner, CounterSpy - not sure if they're trustworthy tools or not.

Guys - I would really appreciate any help you can offer!

This is my HJT thread after running Ad-Aware and Spybot:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CounterSpy\SunProtectionServer.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\CounterSpy\sunserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\CounterSpy\sunThreatEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Mandy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\CounterSpy\sunserver.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thank you for all your help!

Trogan

Hi jsblocker12!

Can you run this online scan please:

Panda ActiveScan

- Once you are on the Panda site, click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log. Your missing the top bit from your HJT log; make sure you include it in your next post.

jsblocker12

Here are my results from the panda scan and HJT. Looks like the Panda scan found several items.

Thanks for the help!

Panda Scan-
Incident Status Location

Adware:Adware/BlueScreenWarning Not disinfected C:\bsw.exe
Adware:Adware/DollarRevenue Not disinfected C:\dfndra.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@2o7[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@ads.pointroll[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@atwola[1].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@banners.searchingbooth[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@burstnet[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@cassava[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@ct.360i[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@dist.belnk[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@questionmarket[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@stats1.reliablestats[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@www.myaffiliateprogram[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Mandy\Cookies\mandy@zedo[1].txt
Virus:Trj/Downloader.AEU Disinfected C:\ied_s7.cab
Virus:Trj/Mitglieder.CP Disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\Belt.ini
Potentially unwanted tool:application/winfixer2005 Not disinfected C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\biC.inf
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\istinstall_si.exe
Adware:adware/sidesearch Not disinfected C:\WINDOWS\sepsd.bin
Hacktool:Rootkit/FU.A Not disinfected C:\WINDOWS\setupod.exe
Virus:Trj/VB.MC Disinfected C:\WINDOWS\SYSC00.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TWFuZHk\nqIRtJ4.vbs
HJT log-
Logfile of HijackThis v1.97.7
Scan saved at 4:13:11 PM, on 7/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CounterSpy\sunThreatEngine.exe
C:\Program Files\CounterSpy\SunProtectionServer.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CounterSpy\sunserver.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mandy\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\CounterSpy\sunserver.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Trogan

Thanks for the logs. Before we begin to clean things up, you need to download the latest version of HijackThis. Your current version is very, very old.

Click here to download HJTsetup.exe
Save HJTsetup.exe to your desktop.

• Double click on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

jsblocker12

Trogan_1000 -
Here's the log from the new HJT version. Maybe this will show you something I need to get rid of.

Logfile of HijackThis v1.99.1
Scan saved at 9:14:20 PM, on 7/5/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CounterSpy\sunserver.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CounterSpy\SunProtectionServer.exe
C:\Program Files\CounterSpy\sunThreatEngine.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\CounterSpy\sunserver.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)


Thanks

Trogan

Thanks for the new log!

Go to Start > Control Panel > Internet Options.
Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK

Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked and then press "OK" to remove:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

=====

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install Ewido by double clicking the installer.
• Follow the prompts. Make sure that Launch Ewido is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.


Click My Computer, then C:\
In the menu bar, go to File -> New -> Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller.
Unzip it to its own folder (c:\BFU)

Next, RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Do not run the Uninstaller and the Remover yet.


Please reboot into Safe Mode:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode: Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

• Click on Scanner
• Click on the Settings tab.
  • Under How to act?
    Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    All checkboxes should be ticked.
  • Under Possibly unwanted software:
    All checkboxes should be ticked.
  • Under Reports:
    Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished:
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the script line to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.


Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

=====

Please do the following too:

Please print out this instructions as you should have all open windows and programs closed when running the scan.

Step 1.
==========
- Please download F-Secure's trial Blacklight from here
- Print out the help page for guidance. It will be found here
- Click the "I Accept" button at the the license agreement
- Click the "Download" button to start the download
- Save it to your Desktop

Step 2.
==========
- Double-click the blbeta.exe file on your Desktop
- Select the "I Accept the agreement" at the license agreement, then click "Next"
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
- Click "Scan
- When the animated graphics, in the bottom right-hand corner, disappears, click "Next"
- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (ie: fsbl-20051017165931.log)
- Paste the contents of that log back here.

jsblocker12

Hopefully someone is still willing to help me. I was in the process of cleaning up my computer when classes ended and I took off for the summer. Looks like things are still the same or worse than before. I've got serious spyware issues and some fake black wallpaper claiming that "Windows Security Center has detected spyware .....".

I am very determined to get this thing cleaned up, so please help me out. One question first, before we start going through the iterations of removing stuff, should I get Macafee or some security software first? That's one of my biggest problems is my machine is not protected.

Thanks!

Here is my HJT log after adaware and spybot scans.

Logfile of HijackThis v1.99.1
Scan saved at 9:48:41 PM, on 9/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\DOBE~1\wuauclt.exe
C:\Documents and Settings\Mandy\Local Settings\Application Data\0b264bb2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\stonedrv.exe
C:\DOCUME~1\Mandy\LOCALS~1\Temp\22.tmp5120.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\$NtUninstallKB1722762$\kavss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {9E39B7AD-721F-50BF-14FD-72E2997F27E1} - C:\WINDOWS\System32\zjqzdu.dll (file missing)
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\DOBE~1\wuauclt.exe" -vt mt
O4 - HKCU\..\Run: [Vsun] C:\Documents and Settings\Mandy\Application Data\??crosoft.NET\w?wexec.exe
O4 - HKCU\..\Run: [0b264bb2.exe] C:\Documents and Settings\Mandy\Local Settings\Application Data\0b264bb2.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Winsvr] C:\DOCUME~1\Mandy\LOCALS~1\Temp\22.tmp5120.exe
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Mandy\LOCALS~1\Temp\22.tmp3072.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: GGsjpRJLGSd - {F4C2C391-5E68-693B-3D41-8EF2C3F7649A} - C:\WINDOWS\System32\quqqpm.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Trogan

Hi jsblocker12! Lets get the computer cleaned up...

First, you need to get an Anti-Virus and Firewall. Choose one of each from the list below - They are Free!

Firewall
Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall

AV
AVG Free Edition << I recommend this
AntiVir
avast! 4 Home Edition

Once you have choosen your Anti-Virus, update it and run a Full System Scan. Make a note of any files that could not be cleaned.

=====

I would like to see another log from HijackThis.

• Run Hijackthis.
• Click on Open the Misc Tools section.
• Next click on Open uninstall manager.
• Press the Save list button. It will open a Notepad file.
• Copy & Paste the entire contents of that file in your in your next post.

=====

Please post the following:

1) Info of any files that could not be cleaned by your Anti-Virus
2) Uninstall list
3) New HijackThis log - Important! Please rename HijackThis.exe to HJT.exe and then get a new log

jsblocker12

Thanks Trogan_1000. Here's the lists you requested.

Here are the details from the AV scan that came back as Infected. This was as clean as I could get the list to paste.

C:\lo-1666613318.exe Virus found Downloader.Tibs Infected
C:\t.inx Virus found Downloader.Tibs Infected
C:\Documents and Settings\Mandy\Local Settings\Application Data\0b264bb2.exe Virus found Downloader.Obfuskated Infected
C:\Documents and Settings\Mandy\Local Settings\Temp\h91746.exe Virus found Downloader.Obfuskated Infected
C:\RECYCLER\S-1-5-21-905303659-4088190255-1326474317-1006\Dc11.exe Virus found Downloader.Tibs Infected
C:\RECYCLER\S-1-5-21-905303659-4088190255-1326474317-1006\Dc12.exe Virus found Downloader.Tibs Infected
C:\RECYCLER\S-1-5-21-905303659-4088190255-1326474317-1006\Dc13.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP180\A0187220.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0187258.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0187267.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0187276.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0187285.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0187300.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0187310.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0187319.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0188318.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0188326.exe Virus found Downloader.Obfuskated Infected
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP183\A0188334.exe Virus found Downloader.Obfuskated Infected
C:\WINDOWS\SYSTEM32\0b264bb2.exe Virus found Downloader.Obfuskated Infected

Here is the uninstall list....

AccessDirect
Actiontec MD56ORD V92 MDC Modem
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
AVG Free Edition
Becker Conviser CPA Review Course on CD-ROM
Becker Conviser PassMaster
CCleaner (remove only)
Comcast High-Speed Internet Install Wizard
Compact Wireless-G USB Adapter
Dell | Support
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Digital Line Detect
Easy CD Creator 5 Basic
ewido anti-spyware 4.0
Google Earth
Hijackthis 1.99.1
HijackThis 1.99.1
iTunes
Kodak EasyShare software
Macromedia Flash Player 8
MaxSpeed
Microsoft Interactive Training
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Modem Helper
MUSICMATCH Jukebox
NVIDIA Windows 2000/XP Display Drivers
OfotoNow
PA090
Paint Shop Pro 7
Panda ActiveScan
QuickTime
RealPlayer
Rhapsody
Spybot - Search & Destroy 1.3
Sunbelt CounterSpy
Synaptics TouchPad
WebSearch Tools
Windows Media Format Runtime
ZoneAlarm

And finally, here is the new HJT list....

Logfile of HijackThis v1.99.1
Scan saved at 1:19:17 PM, on 9/4/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\DOBE~1\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Hijackthis\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {9E39B7AD-721F-50BF-14FD-72E2997F27E1} - C:\WINDOWS\System32\zjqzdu.dll (file missing)
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\DOBE~1\wuauclt.exe" -vt mt
O4 - HKCU\..\Run: [Vsun] C:\Documents and Settings\Mandy\Application Data\??crosoft.NET\w?wexec.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: GGsjpRJLGSd - {F4C2C391-5E68-693B-3D41-8EF2C3F7649A} - C:\WINDOWS\System32\quqqpm.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Thanks again.

Trogan

jsblocker12, I just realised that you have NO service packs for XP.

The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

I hope you have a legit copy of Windows, otherwise I will not be able to help you.

jsblocker12

I clicked on the link to the windows site and downloaded several different updates to XP. I even went as far as to download Service Pack 2 - hope that's ok. Here is the new HJT log after downloading the windows updates.

Logfile of HijackThis v1.99.1
Scan saved at 10:45:50 PM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\DOBE~1\wuauclt.exe
C:\Documents and Settings\Mandy\Application Data\??crosoft.NET\w?wexec.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {9E39B7AD-721F-50BF-14FD-72E2997F27E1} - C:\WINDOWS\System32\zjqzdu.dll (file missing)
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\DOBE~1\wuauclt.exe" -vt mt
O4 - HKCU\..\Run: [Vsun] C:\Documents and Settings\Mandy\Application Data\??crosoft.NET\w?wexec.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157676664541
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157676647136
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: GGsjpRJLGSd - {F4C2C391-5E68-693B-3D41-8EF2C3F7649A} - C:\WINDOWS\System32\quqqpm.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Thanks!

Trogan

We only recommend downloading SP1 when there is NO service pack installed, as was the situation in your case, because Malware and SP2 do not mix. Installing SP2 on an infected machine can cause the computer even more problems, but if you don't have any problems then it should be fine.

Please do the following...

Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present:

Spybot - Search & Destroy 1.3 << old version. We'll get the lastest version later
WebSearch Tools

=====

Download and run the Purityscan Uninstaller

Tutorial for the uninstaller if needed

Reboot when done and delete this folder if found:
C:\Program Files\PurityScan

=====

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R3 - URLSearchHook: (no name) - {9E39B7AD-721F-50BF-14FD-72E2997F27E1} - C:\WINDOWS\System32\zjqzdu.dll (file missing)

O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [Aida] "C:\WINDOWS\DOBE~1\wuauclt.exe" -vt mt
O4 - HKCU\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe

O15 - Trusted Zone: *.sxload.com

O21 - SSODL: GGsjpRJLGSd - {F4C2C391-5E68-693B-3D41-8EF2C3F7649A} - C:\WINDOWS\System32\quqqpm.dll (file missing)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

=====

You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

Once in Safe Mode:

We need to view hidden files and folders:

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

=====

Find and Delete the following, if found:

C:\WINDOWS\System32\zjqzdu.dll << this file
C:\WINDOWS\system32\stonedrv.exe << this file
C:\WINDOWS\System32\quqqpm.dll << this file
C:\WINDOWS\SYSTEM32\0b264bb2.exe << this file

C:\WINDOWS\DOBE~1\wuauclt.exe << this file

C:\lo-1666613318.exe << this file
C:\t.inx << this file

C:\Documents and Settings\Mandy\Local Settings\Application Data\0b264bb2.exe << this file

=====

Reboot back into Normal Mode, and post a new HijackThis log.

jsblocker12

I deleted the outdated version of spybot and got rid of purityscan and websearch tools. I also deleted the items you mentioned from HJT. However, when I went into safe mode to delete the other items, I was only able to find a few of them. Perhaps the items I deleted in HJT took care of them? Anyway, here is the new post from HJT.

Logfile of HijackThis v1.99.1
Scan saved at 7:17:00 PM, on 9/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157676664541
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157676647136
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - Unknown owner - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe" "WUSB54GC.exe (file missing)

Also, I noticed that I can uninstall Service Pack 2 if you think it's worth it. Then I could go back and re-install SP 1a. Whatever you think is best....

Trogan

Now that you have SP2, no need to uninstall it. Your HijackThis log is clean too.

You can delete the Purityscan Uninstaller as it is not needed anymore.

With that said, here are some measures you can take to stay more secure online:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera.

Use a firewall to help prevent your PC(s) from being usurped by undesireables. If you don't have a Firewall, then choose one from the list here

Install an Anti-Virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often. If you don't have an Anti-Virus program, choose one from the list here

Install and keep updated, Ad-Aware SE and Spybot Search & Destroy.
Run them both on a regular basis, following the manufacturer's recommendations.

Install and keep updated, SpywareBlaster and SpywareGuard

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Go to Start > Control Panel > Internet Options.
Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK

Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked

• Temporary Files
• Temporary Internet Files
• Recycle Bin

and then press "OK" to remove:

Go to Start > Find/Search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents from within the following folders:
C:\Windows\temp
C:\temp <-- if you have one.
Note: Empty the contents but do not delete the folder(s).

Clear out temp files from the following location. Change "username" to whatever you have on your computer.
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin!

Hide system files
It is very important that system files and folders are hidden again, so that they DO NOT get deleted by mistake. To hide system files and folders, do the following for your operating system...

Windows XP
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading, uncheck Do not show hidden files and folders
* Check the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.


For XP users.
It's a good idea to Flush your System Restore points after ridding yourself of malware: You can clean this by doing the following:

• Click Start | Help and Support | Undo changes to your computer with System Restore.
• Click Create A Restore Point then click Next. Give it a name it and then click Create, then Close.
• Close the Help and Support Center box.
• Click Start | Run and type Cleanmgr
• Select (C: ) then click OK.
• Click the More Options tab.
• Click Clean Up in the System Restore Section.

This will remove all previous restore points except the newly created one.

===============

If you have any more problems, post back. Otherwise, respond once more so we may archive this thread.

jsblocker12

I got your message that things look good. I will take all the precautions you outlined and try to beef up my security. Thanks for the help!!!!

Trogan

Your welcome!

I'l keep this thread open for a week. If I don't hear back from you, I'l mark it resolved.

jsblocker12

Ok, hopefully this is one last question. I was trying to follow some of the advice from one of the links you provided and I need a little help with the last step.

I was working to update my "hosts" file and am stuck with the file in the .txt format. The instructions below were on the website to rename the file back so it could be used, but I can't get them to work. Any ideas?

First, make sure you save "hosts.txt" in your c:\windows directory c:\windows\system32\drivers\etc\ . Then, open your start menu and open the DOS prompt. Type in the following two bold lines followed by enter after each one:

cd windows\system32\drivers\etc

rename hosts.txt hosts

I tried this over and over again, but couldn't get it to work. If you don't know the answer, it's ok because I still have my previous host file to fall back on.

Thanks again!

Trogan

I don't what to do, sorry!