When I click on Google search result links, it redirects to other pages [resolved]

Unknown
edited October 2006 in Spyware & Virus Removal
I've been trying to get rid of some suspected spyware/malware on my computer, but haven't been able to get rid of it. Here's my problem: When I search for something (usually with Google) and click to open one of the search results (either clicking directly or opening in a new window) the webpage sometimes redirects to some other page. When this happens, I click on it again and the page will redirect to a different page. Then the third time that I click on the link, the correct page opens. So, I have a workaround for my problem but I'd still like to get rid of it already.

I followed the instructions before posting. I got rid of my temporary files with the ATF Cleaner. I used Adaware, Spybot and CWSShredder. I am going to paste my logs from HijackThis and from PandaScan. Appreciate any help or ideas anyone has to fix my compter. Thanks!! -Glen

Logfile of HijackThis v1.99.1
Scan saved at 12:02:06 PM, on 10/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\acs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\acstp\icserv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\acstp\wake_up.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
C:\WINDOWS\System32\ZCfgSvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ACNU\ACNUpdater.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\program files\acnu\acnupdatersvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Sony Handheld\palm.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solarweb.solar.cat.com/default.shtml
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cat.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IEWorkaround Class - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Simp] C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /registry /service
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com
O15 - Trusted Zone: *.accenture.com
O15 - Trusted Zone: *.accenture.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121906339945
O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab
O16 - DPF: {a2001dd0-c7bd-11d4-a3e1-00c04fa32518} - http://t3oraweb.solar.cat.com/dev6/plugin/jinit1183.exe
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - https://virtualclassroomext.accenture.com/SiteRoots/main/Install/CentraDownloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab
O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
O17 - HKLM\Software\..\Telephony: DomainName = Accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA60204-E8D5-4808-8B22-8E427B7C9BB4}: Domain = accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Log from Panda Active Scan

Incident Status
Location
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@ehg-dig.hitbox[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@go[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@mediaplex[1].txt
Potentially unwanted tool:Application/Pskill.B Not disinfected C:\WINDOWS\source\Cabc\AXinstall.EXE[AXUNINSTALL.EXE][PSKILL.EXE]
Virus:trj/torpig.a Disinfected C:\WINDOWS\Temp\$_2341235.TMP

Comments

  • jmoney3457jmoney3457 Maine
    edited October 2006
    hi glen, please rename hijackthis.exe to scanner.exe then rescan and post that new log (this is because some infections will hide entries if hijackthis.exe is detected)
  • glen
    edited October 2006
    Ok I renamed the filename to scanner.exe and saved the new log. Here it is:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:34:24 PM, on 10/15/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\acs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\ZCfgSvc.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ACNU\ACNUpdater.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    c:\program files\acnu\acnupdatersvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\hijackthis\Scanner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solarweb.solar.cat.com/default.shtml
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://portal.accenture.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cat.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IEWorkaround Class - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Simp] C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
    O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /registry /service
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com
    O15 - Trusted Zone: *.accenture.com
    O15 - Trusted Zone: *.accenture.com (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121906339945
    O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {a2001dd0-c7bd-11d4-a3e1-00c04fa32518} - http://t3oraweb.solar.cat.com/dev6/plugin/jinit1183.exe
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - https://virtualclassroomext.accenture.com/SiteRoots/main/Install/CentraDownloader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab
    O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\Software\..\Telephony: DomainName = Accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA60204-E8D5-4808-8B22-8E427B7C9BB4}: Domain = accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
    O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • jmoney3457jmoney3457 Maine
    edited October 2006
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts.
    You will be asked to reboot your computer; please do so.
    Your system may take longer than usual to load; this is normal.
    Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.
  • glen
    edited October 2006
    Ok, I ran the fixwareout program and will post the report.txt and then the Hijackthis log. thanks again for your help:


    Fixwareout ver 1.003
    Last edited 8/11/2006
    Post this report in the forums please

    Reg Entries that were deleted
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5E70ECF9A8AB-676B-AC24-6CFD-EFC97FC1{
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\rohmd
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
    ...

    Microsoft (R) Windows Script Host Version 5.6
    Random Runs removed from HKLM
    "dmhor.exe"=-
    ...

    PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

    »»»»» Searching by size/names...

    »»»»»
    Search five digit cs, dm and jb files.
    This WILL/CAN also list Legit Files, Submit them at Virustotal
    C:\WINDOWS\SYSTEM32\CSUKN.EXE 51,759 2006-09-29
    C:\WINDOWS\SYSTEM32\DMHOR.EXE 61,001 2002-08-28

    Other suspects.
    Directory of C:\WINDOWS\system32
    {A17E9280-FA21-47CD-B5FC-6D435251F890}.exe

    »»»»» Misc files.

    »»»»» Checking for older varients covered by the Rem3 tool.

    Hijackthis log:
    Logfile of HijackThis v1.99.1
    Scan saved at 3:34:15 PM, on 10/16/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\acs.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\ZCfgSvc.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ACNU\ACNUpdater.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    c:\program files\acnu\acnupdatersvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\hijackthis\Scanner.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cat.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IEWorkaround Class - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Simp] C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
    O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /registry /service
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com
    O15 - Trusted Zone: *.accenture.com
    O15 - Trusted Zone: *.accenture.com (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121906339945
    O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {a2001dd0-c7bd-11d4-a3e1-00c04fa32518} - http://t3oraweb.solar.cat.com/dev6/plugin/jinit1183.exe
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - https://virtualclassroomext.accenture.com/SiteRoots/main/Install/CentraDownloader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab
    O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\Software\..\Telephony: DomainName = Accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA60204-E8D5-4808-8B22-8E427B7C9BB4}: Domain = accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
    O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • jmoney3457jmoney3457 Maine
    edited October 2006
    no problem, that took care of wareout..lets continue-->Please download AVG Anti-Spyware. Save the install file to your desktop.
    • Install AVG by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
        Note: If the Update now option is grayed out, follow the steps below.
        • Click on Update on the toolbar.
        • Under Manual update, click on the Start Update button.
        • Wait until you see the Update succesfull message.
    • Right-click the AVG Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update AVG.
    AVG manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG is closed before installing the update.

    ______________________________

    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
      ______________________________
      Close ALL open Windows / Programs / Folders. Please start AVG and run a full scan.
      • Click on Scanner on the toolbar.
      • Click on the Settings tab.
        • Under How to act?
          • Click on Recommended Action and choose Quarantine from the popup menu.
        • Under How to scan?
          • All checkboxes should be ticked.
        • Under Possibly unwanted software:
          • All checkboxes should be ticked.
        • Under Reports:
          • Select Automatically generate report after every scan and uncheck Only if threats were found.
        • Under What to scan?
          • Select Scan every file.
      • Click on the Scan tab.
      • Click on Complete System Scan to start the scan process.
      • Let the program scan the machine.
      • When the scan has finished, follow the instructions below.
        IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
        • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
        • At the bottom of the window click on the Apply all Actions button. (3)
          scanavgjk2.jpg
      • When done, click the Save Scan Report button.(4)
        • Click the Save Report as button.
        • Save the report to your Desktop.
      • Right-click the AVG Tray Icon and select Exit. Confirm by clicking Yes.
      Reboot in Normal Mode.

      Please post the AVG Log, and a fresh Hijack This log in your next reply.
  • glen
    edited October 2006
    Ok here's the AVG log first and then a new HijackThis log;
    AVG Anti-Spyware - Scan Report

    + Created at: 9:16:15 AM 10/17/2006

    + Scan result:



    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup (quarantined).
    C:\WINDOWS\browser.exe -> Hijacker.Small : Cleaned with backup (quarantined).
    C:\Data\Glen\stuff\Jokes\singing_santa.exe -> Not-A-Virus.BadJoke.Win32.Stupen.c : Cleaned with backup (quarantined).
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@highbeam.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@ads.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\glendon.a.jacques\Cookies\glendon.a.jacques@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
    C:\System Volume Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP1\A0000029.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP3\A0000216.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\dmhor.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).


    ::Report end


    HijackThis:
    Logfile of HijackThis v1.99.1
    Scan saved at 9:22:18 AM, on 10/17/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\acs.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\ZCfgSvc.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\ACNU\ACNUpdater.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\Program Files\hijackthis\Scanner.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    c:\program files\acnu\acnupdatersvc.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solarweb.solar.cat.com/default.shtml
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cat.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IEWorkaround Class - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Simp] C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
    O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /registry /service
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com
    O15 - Trusted Zone: *.accenture.com
    O15 - Trusted Zone: *.accenture.com (HKLM)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121906339945
    O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {a2001dd0-c7bd-11d4-a3e1-00c04fa32518} - http://t3oraweb.solar.cat.com/dev6/plugin/jinit1183.exe
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - https://virtualclassroomext.accenture.com/SiteRoots/main/Install/CentraDownloader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab
    O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\Software\..\Telephony: DomainName = Accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA60204-E8D5-4808-8B22-8E427B7C9BB4}: Domain = accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
    O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • jmoney3457jmoney3457 Maine
    edited October 2006
    Please run the BitDefender online scan from here; http://www.bitdefender.com/scan8/ie.html
    You will need to allow an active x install for the scan to run.
    Leave the scanning options at default and press "click here to scan"
    When finished scanning, click on "click here to export the scan report"
    Save it to your desktop, at "file name" type in "bdscan" then click save.
    Please attach the bdscan.html file to your next post along with a new hijackthis log
  • glen
    edited October 2006
    I wasn't able to upload the HTML file to here, so I saved it as a txt file and have the results as well as the Hijackthis logfile. Thanks, Glen


    BitDefender Online Scanner -Scan ReportBitDefender Online Scanner
    Scan report generated at: Tue, Oct 17, 2006 - 12:47:55

    Scan path: C:\;D:\;

    Statistics
    Time01:32:10
    Files670185
    Folders7071
    Boot Sectors2
    Archives9021
    Packed Files81418

    Results
    Identified Viruses 4
    Infected Files 13
    Suspect Files 0
    Warnings0
    Disinfected0
    Deleted Files13

    Engines Info
    Virus Definitions476903
    Engine buildAVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)
    Scan plugins13
    Archive plugins38
    Unpack plugins6
    E-mail plugins6
    System plugins1

    Scan Settings
    First ActionDisinfect
    Second ActionDelete
    HeuristicsYes
    Enable WarningsYes
    Scanned Extensions*;
    Exclude Extensions
    Scan EmailsYes
    Scan ArchivesYes
    Scan PackedYes
    Scan FilesYes
    Scan BootYes

    Scanned File Status
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0000.VBNInfected with:
    Exploit.Win32.WMF-PFV.A
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0000.VBNDisinfection failed
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0000.VBNDeleted
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0001.VBNInfected with:
    Exploit.IECrashJS.J
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0001.VBNDisinfection failed
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0001.VBNDeleted
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0002.VBNInfected with:
    Exploit.IECrashJS.J
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0002.VBNDisinfection failed
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0002.VBNDeleted
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0003.VBNInfected with:
    Exploit.IECrashJS.J
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0003.VBNDisinfection failed
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0003.VBNDeleted
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0004.VBNInfected with:
    Exploit.IECrashJS.J
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0004.VBNDisinfection failed
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0004.VBNDeleted
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0006.VBNInfected with:
    Exploit.Win32.WMF-PFV.A
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0006.VBNDisinfection failed
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0006.VBNDeleted
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0007.VBNInfected with:
    Exploit.Win32.WMF-PFV.A
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0007.VBNDisinfection failed
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0007.VBNDeleted
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0008.VBNInfected with:
    Exploit.Win32.WMF-PFV.A
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0008.VBNDisinfection failed
    C:\Documents and Settings\All Users\Application
    Data\Symantec\Symantec AntiVirus Corporate
    Edition\7.5\Quarantine\042C0008.VBNDeleted
    C:\Program Exe\mobileMIDImb.exe=>(CAB Sfx o)=>MPBrowser.exeInfected
    with: BehavesLike:Win32.FileInfector
    C:\Program Exe\mobileMIDImb.exe=>(CAB Sfx
    o)=>MPBrowser.exeDisinfection failed
    C:\Program Exe\mobileMIDImb.exe=>(CAB Sfx o)=>MPBrowser.exeDeleted
    C:\Program Exe\mobileMIDImb.exe=>(CAB Sfx o)Update failed
    C:\System Volume
    Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP1\A0000021.exeInfected
    with: Trojan.Downloader.Mohbpork.A
    C:\System Volume
    Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP1\A0000021.exeDisinfection
    failed
    C:\System Volume
    Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP1\A0000021.exeDeleted
    C:\System Volume
    Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP3\A0000209.exeInfected
    with: Trojan.Downloader.Mohbpork.A
    C:\System Volume
    Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP3\A0000209.exeDisinfection
    failed
    C:\System Volume
    Information\_restore{1804B3F2-954F-4FEE-9122-D8DAEB2CC386}\RP3\A0000209.exeDeleted
    C:\WINDOWS\system32\csukn.exeInfected with:
    Trojan.Downloader.Mohbpork.A
    C:\WINDOWS\system32\csukn.exeDisinfection failed
    C:\WINDOWS\system32\csukn.exeDeleted
    C:\WINDOWS\system32\{A17E9280-FA21-47CD-B5FC-6D435251F890}.exeInfected
    with: Trojan.Downloader.Mohbpork.A
    C:\WINDOWS\system32\{A17E9280-FA21-47CD-B5FC-6D435251F890}.exeDisinfection
    failed
    C:\WINDOWS\system32\{A17E9280-FA21-47CD-B5FC-6D435251F890}.exeDeleted


    HijackThis:
    Logfile of HijackThis v1.99.1
    Scan saved at 12:59:42 PM, on 10/17/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\acs.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\ZCfgSvc.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\ACNU\ACNUpdater.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    c:\program files\acnu\acnupdatersvc.exe
    C:\Program Files\notes\NLNOTES.EXE
    C:\Program Files\notes\ntaskldr.EXE
    C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Artes\Artes.exe
    C:\Program Files\Quicken\qw.exe
    C:\Program Files\hijackthis\Scanner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solarweb.solar.cat.com/default.shtml
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cat.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IEWorkaround Class - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Simp] C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
    O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /registry /service
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com
    O15 - Trusted Zone: *.accenture.com
    O15 - Trusted Zone: *.accenture.com (HKLM)
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121906339945
    O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {a2001dd0-c7bd-11d4-a3e1-00c04fa32518} - http://t3oraweb.solar.cat.com/dev6/plugin/jinit1183.exe
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - https://virtualclassroomext.accenture.com/SiteRoots/main/Install/CentraDownloader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab
    O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\Software\..\Telephony: DomainName = Accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA60204-E8D5-4808-8B22-8E427B7C9BB4}: Domain = accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
    O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • jmoney3457jmoney3457 Maine
    edited October 2006
    no problem, looks like bitdefender took care of some..just curious what did it say when you tried to upload the BD results?also please fix *check* the following lines in HJT (make sure NO windows except hjt are open):R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
     reboot and post new log
    and finally are you familiar with this website as it's in alot of your hjt log=>Accenture.com
  • glen
    edited October 2006
    When I tried to upload the attachment, I received an error stating 'Invalid File.' I looked and '.html' is not one of the listed attachments when posting, so I figure that was why. If there's another way to attach it, please let me know for the future

    The company that I work for is accenture, so those references are legit and the proxy.cat.com is needed at work.

    I've rebooted and here's my new log. Please let me know how it looks:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:23:13 AM, on 10/18/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\acs.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\ZCfgSvc.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\1XConfig.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\ACNU\ACNUpdater.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    c:\program files\acnu\acnupdatersvc.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\Program Files\hijackthis\Scanner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solarweb.solar.cat.com/default.shtml
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cat.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IEWorkaround Class - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Simp] C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
    O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /registry /service
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com
    O15 - Trusted Zone: *.accenture.com
    O15 - Trusted Zone: *.accenture.com (HKLM)
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121906339945
    O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {a2001dd0-c7bd-11d4-a3e1-00c04fa32518} - http://t3oraweb.solar.cat.com/dev6/plugin/jinit1183.exe
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - https://virtualclassroomext.accenture.com/SiteRoots/main/Install/CentraDownloader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab
    O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\Software\..\Telephony: DomainName = Accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA60204-E8D5-4808-8B22-8E427B7C9BB4}: Domain = accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
    O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • jmoney3457jmoney3457 Maine
    edited October 2006
    oh ok..yea that's why I left them alone cause I had feeling they were legit:) but if you still have the bitdefender .html file on your PC still saved could you go here -->http://www.mysharefile.com/ upload it and post back a link here for me to download it with (you can leave both the email fields blank and for description put it BD scan or whatever you want):bigggrin:
  • glen
    edited October 2006
    I wasn't able to upload the file type 'html' on the mysharefile site either. I don't know why I didn't think of it earlier, but I zipped up the bdscan.html and attached it here. :clap: Let me know if this works ok
  • jmoney3457jmoney3457 Maine
    edited October 2006
    haha, you are good sir!:thumbsup: sometimes simple things like that go over my head:doh: but could you please purge *delete everything* from your Norton quarentine then reboot & post new hjt log :smiles:
  • glen
    edited October 2006
    haha, it took me awhile to figure that out. Ok I rebooted and here's the new hjt log:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:33:48 PM, on 10/19/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\System32\acs.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\acstp\icserv.exe
    C:\WINDOWS\system32\acstp\wake_up.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\RSA Security\Web PassPort\Plug-In\System\sdlss.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\System32\ZCfgSvc.exe
    C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    C:\Program Files\Apoint\Apntex.exe
    C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    C:\WINDOWS\System32\1XConfig.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\ACNU\ACNUpdater.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
    C:\Program Files\AIM\aim.exe
    C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
    C:\Program Files\Logitech\SetPoint\KEM.exe
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    c:\program files\acnu\acnupdatersvc.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\hijackthis\Scanner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://solarweb.solar.cat.com/default.shtml
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.cat.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: IEWorkaround Class - {08442457-929D-4522-AE24-9D3E4664A0C1} - C:\Program Files\IE URL Spoofing Patch\IEWorkaround3.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\RSA Security\Web PassPort\Plug-In\system\sdtray.exe"
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [Accenture Connection] "C:\Program Files\Accenture Connection\9341989\Program\Accenture Connection.exe"
    O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
    O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [aauclient] C:\Program Files\ACNU\ACNUpdater.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Simp] C:\PROGRA~1\Secway\SIMPPR~1.1\SimpPro.exe
    O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
    O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /registry /service
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
    O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=https://portal.accenture.com
    O15 - Trusted Zone: *.accenture.com
    O15 - Trusted Zone: *.accenture.com (HKLM)
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121906339945
    O16 - DPF: {8463A31A-7FB5-4D38-B269-57F4FEFDBB09} (SDData.clsData) - https://mylearning.accenture.com/codebase/SDData.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {a2001dd0-c7bd-11d4-a3e1-00c04fa32518} - http://t3oraweb.solar.cat.com/dev6/plugin/jinit1183.exe
    O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} - https://virtualclassroomext.accenture.com/SiteRoots/main/Install/CentraDownloader.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {D3B8B8A0-4FA3-44EB-86C7-5BEA866CEA57} (SDAICC.clsAICC) - https://mylearning.accenture.com/codebase/SDAICC.cab
    O16 - DPF: {FE507B78-691A-4DAA-BE3D-793C86592506} (SDWAPI.clsWAPI) - https://mylearning.accenture.com/codebase/SDWAPI.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\Software\..\Telephony: DomainName = Accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA60204-E8D5-4808-8B22-8E427B7C9BB4}: Domain = accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Accenture.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = accenture.com,dir.svc.accenture.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: ACNUSvc - - c:\program files\acnu\acnupdatersvc.exe
    O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe
    O23 - Service: Apache Tomcat 4.1 - Alexandria Software Consulting - C:\Program Files\Apache Group\Tomcat 4.1\bin\tomcat.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
    O23 - Service: MC/Empower i.collect Service (iCollectService) - Unknown owner - C:\WINDOWS\system32\acstp\icserv.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • jmoney3457jmoney3457 Maine
    edited October 2006
    your log looks ship shape how is your pc running now? have redirects stopped?
  • glen
    edited October 2006
    The redirects didn't happen everytime before, but I just got through searching on Google/Yahoo a bunch of times and it hasn't occurred at all, so I think the problem has been fixed. Thanks so much for your help jmoney. I really appreciate all the time you spent helping me! Its really nice to know that i've got this crap off my computer. Going forward, if I run Adaware and Spybot are those good tools to keep spy/malware off my computer?

    -Glen
  • jmoney3457jmoney3457 Maine
    edited October 2006
    glen wrote:
    The redirects didn't happen everytime before, but I just got through searching on Google/Yahoo a bunch of times and it hasn't occurred at all, so I think the problem has been fixed. Thanks so much for your help jmoney. I really appreciate all the time you spent helping me! Its really nice to know that i've got this crap off my computer. Going forward, if I run Adaware and Spybot are those good tools to keep spy/malware off my computer?

    -Glen
    glad to hear it! your welcome!:) yes they are i'll be back with a final cleanup/prevention post
  • jmoney3457jmoney3457 Maine
    edited October 2006
    let me know when you ready :)
  • glen
    edited October 2006
    Ready? For your cleanup/prevention post? Sure, I'm ready
  • jmoney3457jmoney3457 Maine
    edited October 2006
    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

      You can find instructions on how to enable and reenable system restore here:

      Managing Windows Millenium System Restore

      or

      Windows XP System Restore Guide

      Re-enable system restore with instructions from tutorial above
      Next,

      This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

      Step 1: Delete Temp Files
      To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

      This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

      Step 2: Delete Temporary Internet Files
      Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialize and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

    8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

    9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety
    • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
      Using Winpatrol to protect your computer from malicious software
  • jmoney3457jmoney3457 Maine
    edited October 2006
    I’m going to close this thread and mark it resolved. Glad we could help, if you (original topic starter) need this thread re-opened please send a PM=>[url] http://www.short-media.com/forum/private.php?do=newpm [/url] to one of the admins/mods from this list=>[url] http://www.short-media.com/forum/showgroups.php?s= [/url] with a link to this thread and for everyone else please start your own thread thank you
This discussion has been closed.