ZIPZAPPROMOS and telephone bill - hijack this log included

Hi, this is my first time posting on this forum but I have been looking around for a few weeks now. I have been getting the ZIPZAPPROMOS popups and looking for a way to get rid of them but didn't think it was any big deal, until now. I sat down to do my bills and on my SBC bill I find a USBI insert with 8 calls to DIEGO GARCXX that is included, totaling $156.50 and the lady I talked to at the 888 number said it was from a computer dialer.

So now the question is, is ZIPZAP a dialer or was I hijacked by someone else? I have run the latest spybot, ad-aware, CWShredder, and spyware blaster but none seem to find anything. Here is my hijackthis log and I will be talking to USBI and SBC monday when offices are open. Thanks in advance for any help anyone can provide.

Jeff-

Logfile of HijackThis v1.99.0
Scan saved at 7:59:37 PM, on 2/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff ????\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Digital Line Detect.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Office Startup.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binaries/EGDAccess/EGDACCESS_1057_XP.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D169D66D-492B-418A-BE9C-F1104B1AC653}: NameServer = 207.173.86.6 209.63.0.6
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Welcome to WindowsBBS Jaguar

I did see your post (to the wrong thread) before you edited it and the answer is yes. Allow the script to run and post the log.

 

Thanks Dave

I have updated and ran all my spyware programs and Norton in safe mode with system restore turned off since then, but here is my installed program log.

INSTALLED SOFTWARE (96) - JEFF - 2/19/2005 9:45:53 AM

Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update Ver: 6.0.2 Installed: 11/15/2004
Adobe Reader 6.0.1 Ver: 006.000.001 Installed: 11/15/2004
ArcSoft PhotoImpression 2000
Autodesk Inventor 8 Ver: 8.0.0000.07270 Installed: 11/17/2004
Banctec Service Agreement Ver: 1.10.0000 Installed: 11/15/2004
Barbie(TM) as The Princess and the Pauper Demo
Barbie(TM) Fashion Show(TM) CD-ROM
bvydqakmc
Call of Duty - United Offensive Ver: 1.00.0000 Installed: 12/25/2004
Call of Duty - United Offensive Ver: 1.00.0000 Installed: 12/25/2004
Call of Duty Game of the Year Edition
ccCommon Ver: 103.0.2.10 Installed: 11/16/2004
Civilization III Complete Edition Ver: 1.00.0000 Installed: 1/19/2005
Civilization III Complete Edition Ver: 1.00.0000 Installed: 1/19/2005
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
Dell Digital Jukebox Driver
Dell Driver Reset Tool Ver: 1.02.0000 Installed: 11/15/2004
Dell Media Experience
Dell Support 5.0.0 (630)
Dell System Restore Ver: 2.00.0000 Installed: 11/15/2004
Digital Line Detect Ver: 1.10
Disney's Toontown Online
HijackThis 1.99.0 Ver: 1.99.0
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections Ver: 8.00.5000 Installed: 11/15/2004
Internet Explorer Default Page Ver: 1.00.03 Installed: 11/15/2004
Internet Worm Protection Ver: 11.0.2 Installed: 11/16/2004
Jasc Paint Shop Photo Album Ver: 4.0.3 Installed: 11/15/2004
Jasc Paint Shop Pro 8 Dell Edition Ver: 8.10.0000 Installed: 11/15/2004
Java 2 Runtime Environment, SE v1.4.2_03 Ver: 1.4.2_03 Installed: 11/15/2004
Java 2 Runtime Environment, SE v1.4.2_06 Ver: 1.4.2_06 Installed: 12/9/2004
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation) Ver: 3.0.0
LiveUpdate 2.6 (Symantec Corporation) Ver: 2.6.14.0
Medal of Honor Allied Assault
Medal of Honor Allied Assault(tm) Spearhead
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 2/11/2005
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Excel 97
Microsoft Flight Simulator 2004 A Century of Flight Ver: 9.0
Microsoft Plus! Digital Media Edition Installer Ver: 1.1.0.3514 Installed: 11/15/2004
Microsoft Plus! Photo Story 2 LE Ver: 1.1.0.3463 Installed: 11/15/2004
Microsoft Word 97
Modem Helper Ver: 2.28
MSRedist Ver: 1.0.0.0 Installed: 11/16/2004
Musicmatch for Windows Media Player Ver: 0.00.000
Musicmatch® Jukebox Ver: 9.00.2062b
NetWaiting Ver: 2.5.12
Norton AntiVirus 2005 Ver: 11.0.2 Installed: 11/16/2004
Norton AntiVirus Parent MSI Ver: 10.0.0 Installed: 11/16/2004
Norton SystemWorks Ver: 1.0.0 Installed: 11/16/2004
Norton SystemWorks 2005 Ver: 8.02.6 Installed: 11/16/2004
Norton SystemWorks 2005 (Symantec Corporation) Ver: 8.00.99
Norton Utilities Ver: 18.0.0 Installed: 11/16/2004
Norton WMI Update Ver: 2005.1.0.111 Installed: 11/16/2004
NSW_DRM_COLLECTION Ver: 1.0.0 Installed: 11/16/2004
PowerDVD 5.3
QuickTime
RealPlayer Basic
Shockwave Flash
SimCity 4 Deluxe
Sonic DLA Ver: 4.95 Installed: 11/15/2004
Sonic RecordNow! Ver: 7.3 Installed: 11/15/2004
Sonic Update Manager Ver: 2.9 Installed: 11/15/2004
Sound Blaster Live! 24-bit
SPBBC Ver: 1.00.0000 Installed: 11/16/2004
Spybot - Search & Destroy 1.3 Ver: 1.3
SpywareBlaster v3.2 Ver: 3.2.0
Symantec Network Drivers Update Ver: 5.4.4.17 Installed: 2/18/2005
Symantec Script Blocking Installer Ver: 11.0.2 Installed: 11/16/2004
SymNet Ver: 5.4.2.17 Installed: 11/16/2004
Viewpoint Media Player
WebFldrs XP Ver: 9.50.7523 Installed: 8/11/2004
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Ver: 9.00.3636 Installed: 11/15/2004
Windows XP Hotfix - KB834707 Ver: 20040929.110854
Windows XP Hotfix - KB867282 Ver: 20050127.090417
Windows XP Hotfix - KB873333 Ver: 20050114.005213
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885250 Ver: 20050118.202711
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB888113 Ver: 20041116.131036
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB888310 Ver: 20041027.095746
Windows XP Hotfix - KB890047 Ver: 20041221.124506
Windows XP Hotfix - KB890175 Ver: 20041201.233338
Windows XP Hotfix - KB891781 Ver: 20050110.165439
WordPerfect Office 12 Ver: 12.0.0.238 Installed: 11/15/2004

 

It looks like bvydqakmc may be the problem. Am I off base or how should I go about getting rid of it?

Thanks, Jeff

 

You're right on! Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in bvydqakmc, wait, hit ok. Then when wordpad opens, copy that back here please

 

Results from RegSrch.vbs

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "bvydqakmc" 2/19/2005 1:38:32 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bvydqakmc "= "c:\\windows\\system32\\bvydqakmc.exe -start "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bvydqakmc]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bvydqakmc]
"UninstallString "= "c:\\windows\\system32\\bvydqakmc.exe -uninstall "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bvydqakmc]
"DisplayName "= "bvydqakmc "

[HKEY_USERS\S-1-5-21-1721701136-4027249080-1819993966-1005\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\windows\\system32\\bvydqakmc.exe "= "bvydqakmc "

 

You will need to turn off System Restore to purge the rogue files from your restore points. Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\bvydqakmc.exe

Check the box to delete on reboot and click the red X to the right. Click OK, then NO to reboot now. Copy the next filepath and paste it in the box, and repeat the above steps. When all of the below filepaths are done, close the Killbox.

C:\WINDOWS\Downlo~1\EGDACCESS.inf
C:\WINDOWS\system32\EGDACCESS_1057.dll



Download and install Reglite. Open and copy/paste the following string in the address window then click go.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
The forum format puts a space in the word current that you will need to edit out before clicking Go.

Right click the "bvydqakmc "= "c:\\windows\\system32\\bvydqakmc.exe -start" value in the right pane and delete. Then copy/paste the following.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\bvydqakmc

Right click the bvydqakmc key in the left pane and delete.
Exit Reglite when done.



Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O16 - DPF: {26D73573-F1B3-48C9-A989-E6CE071957A1} - http://akamai.downloadv3.com/binari...ESS_1057_XP.cab


Reboot and post a new HJT log. Let us know if the popups stop.

 

Seems good... but

I had a problem with the killbox program. The computer locked up and I had to turn it off manually, then I ran RegSrch and RegLite again to kill the bvydqakmc instancances again, re-ran killbox and it seems to be working.

I still don't know about the money that USBI wants from me through SBC, I will post again after talking to them, but I don't see how I should be held liable for popups on my computer that I didn't ask for and took hours of work to be rid of, and probably my 11 years old daughter clicked on. Maybe I should bill them for my time working on this, say $120.00/hr, 12 hours, for a total of $1440.00. (If they pay I will donate it to SpyBot in noahdfear (Dave's) name )

Thanks for your help, the popups seem to have quit, here is my hjt log and if you see anything that needs attention.

Logfile of HijackThis v1.99.0
Scan saved at 6:40:59 PM, on 2/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeff Geer\Desktop\Spyware Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe "
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Digital Line Detect.lnk.disabled
O4 - Global Startup: Microsoft Find Fast.lnk.disabled
O4 - Global Startup: Office Startup.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.14.48/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D169D66D-492B-418A-BE9C-F1104B1AC653}: NameServer = 207.173.86.6 209.63.0.6
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Log looks good. Suggest you run an online virus scan with RAV. If any files are infected, click the report button then copy and paste it here. If it's clean, re-enable system restore and create a manual restore point.

Also recommend you check your firewall's activity logs (program access) and remove access to anything you don't recognize as valid. If unsure of anything, Google it or ask here.

I don't see Spybot's SDHelper.dll BHO in you last log. Open the folder where Spybot resides (usually C:\Progran Files\Spybot S&D) and see if the file is there. If not, get the zip file here, and extract the file to that folder. Then open Spybot and re-enable SDHelper. Also recommend you open Spybot and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click tools button, then IE tweaks and at least lock the HOSTS file.
Then download and install IESpyad.

That will give you some added layers of protection against unwanted parasites

 

Here is the RAV log:

Scan started at 2/20/2005 9:02:56 PM

Scanning memory...
Scanning boot sectors...
Scanning files...

Scanned
============================
Objects: 84076
Directories: 4669
Archives: 3315
Size(Kb): -934246
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 0
Disinfected files: 0
Mail files: 326



My windows firewall (shoule I get ZoanAlarm, I only have a dial up connection) has some entries I am not sure about. Under the exceptions tab they are CoDUOMP, Microsoft DirectPlay8 Server, Peer Name Resoultion Protocall (PNRP), UPnP Framework, and Windows Peer-to-Peer Grouping. In the advanced tab, along with my ISP name, I have a checked box next to "access-to ", and when the I click the Settings button, it has a list under the services tab with "Teredo" checked.

I had the Spybot resident program disabled during the last scan because of all the registar editing I was doing, I have since re-enabled it, along with the tea-timer. I also make sure the immunization is up to date and I have already set up the IE Tweaks as you discribe. I also keep Spyware Blaster up to date.

I don't have IESpyAd yet, but will DL it tomorrow. Again, thanks for your help and have a great day.

Jeff

 

Those are all legitimate exceptions. I prefer a third party firewall myself and do recommend installing one.

Glad to help.

 

Not all seem legitimate

I have noticed that on the start menu, connect to, I have a new entry. Looks like the dialer that has charged my phone bill, called "access-to ", and uses the modem to connect. The phone number is not given, only ********, but everything else looks like a normal dial up connection.

How would I go about getting rid of all traces of this, since it seems only deleting crapware doesn’t always do the job. Do you think there are more hooks in my computer that I need to delete to get rid of this "access-to" dialer?

Thanks,
Jeff

 

Go into Show all connections and delete the new dial-up connection, if that's what it is. I would recommend you run RegSeeker to clean out the registry. Download and extract to it's own folder, open the program, maximize the window and click clean registry. When scan is complete,verify the backup box in lower left corner is checked and click the select all button. Then right click within the search results and select delete. Now do a quick check of your installed program's functionality. I've never had RegSeeker remove anything vital that it wasn't supposed to, but you never know. If all is well, run it again and again until it comes up clean, again checking other programs between runs. Should something go wrong, click the backup button and restore last run, then rerun and exclude entries associated with whatever it broke. Click the histories button and there are choices to clean up the start menu, typed URLs, TIFs you thought were gone, stream MRU keys, etc. Use them too, and do another clean registry. It probably wouldn't even be a bad idea to reboot and run again. Alot of work, but it does run relatively quickly so you're not looking at hours to do this.

If you do install a third party firewall, you will be prompted for internet access, at least once, by ANY program looking for it if you configure it to alert you. You will then be able to see from within the program, the filename and location of anything that has requested access. Make sure to disable the XP firewall if you use a third party.