Solved Pop up windows

cgul · 2007/08/12

[Resolved] Pop up windows

Hi,
New to the BBS
My daughers computer was recently infected with trojan horse that i was able to remove by using suggestions here. also had numerous web pages load - five or so at a time, home page changes etc, etc, I was able to get rid of them too, but now getting one or two web pages to pop up, but takes a long time to happen and fewer are showing up.
Norton antivirus, spyware bot both installed
ran adaware 2007.
Decided maybe I should post vs lurking this time
Here is HJT log paste:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:22:34 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wireless-G Portable USB Adapter\WUSB54GP.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
C:\Program Files\SpywareBot\SpywareBot.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\<name removed>Desktop\abc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mmjb.musicmatch.com/mmjb/process.cgi?REQUEST=HOME&VERSION=7.10.4053DELL&LANG=ENU&Grant=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: ScriptInocUI Class - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Zango /fleok=1D8A83A5C7E1167F99AD6C2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O3 - Toolbar: (no name) - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download2.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: Yahoo! Go Fish - http://download2.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download2.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.25/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0038089.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: SpywareBot Scanning Engine (SpywareBotSrv) - Unknown owner - C:\Program Files\SpywareBot\SpywareBotSrv.srv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WUSB54GPSVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe

--
End of file - 9341 bytes
<<
Thanks for the help
cgul

noahdfear · 2007/08/12

Welcome to WindowsBBS cgul

First, go to Add/remove programs and uninstall SpywareBot. It's actually on the list of rogue antispyware apps. The one you want is Spybot S&D, but we can get that later.

Download ComboFix by sUBs from Here or Here, saving the file to your Desktop.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

cgul · 2007/08/12

ok, here is combo log
ComboFix 07-08-04.3 - "Kimberly" 2007-08-12 19:30:14.1 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\FindIt.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\FindItHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\findithotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\finditxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\Highlight.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\HighlightHot.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\highlighthotxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\highlightxp.png
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\jokesearch.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\logo.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\logoxp.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\pranks.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\buttons\starware_toolbar_icon.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\contexts\error.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\contexts\Related.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\contexts\Travel.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\EntertainmentMarketingSP\images\active\EntertainmentMarketingSP0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\Games\images\active\Games0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\Movies\images\active\Movies0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\ScreensaversMarketingSitePager\images\active\ScreensaversMarketingSitePager0.bmp
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\SimpleUpdate\ProductMessagingConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\SimpleUpdate\SimpleUpdateConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\SimpleUpdate\TimerManagerConfig.xml
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\SimpleUpdate\TimerManagerConfig.xml.backup
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Starware347\U0500EF6F.exe
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\BrowserSearch\BrowserSearch.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\BrowserSearch\BrowserSearch.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Configurator\Configurator.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Configurator\Configurator.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\ErrorSearch\ErrorSearchOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\ErrorSearch\ErrorSearchOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Games\GamesOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Games\GamesOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\JokeSearch\JokeSearchOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\JokeSearch\JokeSearchOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Layouts\ToolbarLayout.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Layouts\ToolbarLayout.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Manager\ManagerOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Movies\MoviesOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Movies\MoviesOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Pranks\PranksOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Pranks\PranksOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\RelatedSearch\RelatedSearchOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\RelatedSearch\RelatedSearchOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\SearchMatch\SearchMatchOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\SearchMatch\SearchMatchOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Toolbar\TBProductsOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\Toolbar\TBProductsOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\ToolbarLogo\ToolbarLogoOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\ToolbarSearch\ToolbarSearchOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\TravelSearch\TravelSearchOptions.xml
C:\DOCUME~1\Evelyn\APPLIC~1\Starware347\TravelSearch\TravelSearchOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347
C:\DOCUME~1\Guest\APPLIC~1\Starware347\BrowserSearch\BrowserSearch.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\BrowserSearch\BrowserSearch.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Configurator\Configurator.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Configurator\Configurator.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\ErrorSearch\ErrorSearchOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\ErrorSearch\ErrorSearchOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Games\GamesOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Games\GamesOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\JokeSearch\JokeSearchOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\JokeSearch\JokeSearchOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Layouts\ToolbarLayout.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Layouts\ToolbarLayout.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Manager\ManagerOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Movies\MoviesOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Movies\MoviesOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Pranks\PranksOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Pranks\PranksOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\RelatedSearch\RelatedSearchOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\RelatedSearch\RelatedSearchOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\SearchAssistPlus\SearchAssistPlusOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\SearchAssistPlus\SearchAssistPlusOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\SearchMatch\SearchMatchOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\SearchMatch\SearchMatchOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Tem3E7.tmp
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Toolbar\TBProductsOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\Toolbar\TBProductsOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\ToolbarLogo\ToolbarLogoOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\ToolbarSearch\ToolbarSearchOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\DOCUME~1\Guest\APPLIC~1\Starware347\TravelSearch\TravelSearchOptions.xml
C:\DOCUME~1\Guest\APPLIC~1\Starware347\TravelSearch\TravelSearchOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\FunWebProducts
C:\DOCUME~1\Kimberly\APPLIC~1\FunWebProducts\Data\Kimberly\avatar.dat
C:\DOCUME~1\Kimberly\APPLIC~1\FunWebProducts\Data\Kimberly\register.dat
C:\DOCUME~1\Kimberly\APPLIC~1\FunWebProducts\Data\Kimberly\zbucks.dat
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\BrowserSearch\BrowserSearch.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\BrowserSearch\BrowserSearch.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Configurator\Configurator.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Configurator\Configurator.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\EntertainmentMarketingSP\EntertainmentMarketingSPOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\ErrorSearch\ErrorSearchOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\ErrorSearch\ErrorSearchOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Games\GamesOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Games\GamesOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\JokeSearch\JokeSearchOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\JokeSearch\JokeSearchOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Layouts\ToolbarLayout.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Layouts\ToolbarLayout.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Manager\ManagerOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Manager\ManagerOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Movies\MoviesOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Movies\MoviesOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Pranks\PranksOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Pranks\PranksOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\RelatedSearch\RelatedSearchOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\RelatedSearch\RelatedSearchOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\ScreensaversMarketingSitePager\ScreensaversMarketingSitePagerOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Tem3FC.tmp
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Toolbar\TBProductsOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\Toolbar\TBProductsOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\ToolbarLogo\ToolbarLogoOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\ToolbarSearch\ToolbarSearchOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\TravelSearch\TravelSearchOptions.xml
C:\DOCUME~1\Kimberly\APPLIC~1\Starware347\TravelSearch\TravelSearchOptions.xml.backup

((((((((((((((((((((((((( Files Created from 2007-07-12 to 2007-08-12 )))))))))))))))))))))))))))))))

2007-08-12 19:29 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-12 15:53 <DIR> d-------- C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot
2007-08-12 15:52 <DIR> d-------- C:\Program Files\SpywareBot
2007-08-04 17:08 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-04 16:56 <DIR> d-------- C:\Program Files\Wireless-G Portable USB Adapter
2007-08-04 16:52 <DIR> d-------- C:\DOCUME~1\JERRYM~1\APPLIC~1\GTek
2007-08-04 16:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gtek
2007-08-04 16:37 106 --a------ C:\delete.bat
2007-08-04 16:32 <DIR> d-------- C:\VundoFix Backups
2007-08-04 16:09 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-04 13:05 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\Help
2007-07-31 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-31 19:57 2,166 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-07-31 19:56 <DIR> d-------- C:\DOCUME~1\JERRYM~1\SmitfraudFix
2007-07-31 17:58 184 --a------ C:\prpl_rmdll.bat
2007-07-31 17:10 <DIR> d-------- C:\DOCUME~1\JERRYM~1\APPLIC~1\Google
2007-07-31 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-31 14:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-31 13:40 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\AdwareAlert
2007-07-31 13:39 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-07-31 13:39 <DIR> d-------- C:\Program Files\AdwareAlert
2007-07-30 17:25 64,991 --a------ C:\WINDOWS\SYSTEM32\__c00B27E9.dat
2007-07-30 17:25 106,496 --a------ C:\WINDOWS\SYSTEM32\__c0038089.dat
2007-07-30 17:25 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-14 21:23 <DIR> d-------- C:\Program Files\MySpace
2007-07-14 21:23 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\MySpace

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 17:39 --------- d-------- C:\Program Files\Microsoft Hardware
2007-08-12 16:10 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-12 16:10 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-12 16:07 --------- d-------- C:\Program Files\AWS
2007-08-12 12:49 --------- d-------- C:\Program Files\Norton SystemWorks
2007-08-10 06:32 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 16:56 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 13:07 --------- d-------- C:\Program Files\Managed DirectX (0900)
2007-07-31 23:25 --------- d-------- C:\Program Files\Microsoft Games
2007-07-31 17:58 --------- d-------- C:\Program Files\AT&T Worldnet Accelerator
2007-07-31 17:56 --------- d-------- C:\Program Files\Chaos32
2007-07-31 17:51 --------- d-------- C:\Program Files\Sony Handheld
2007-07-31 17:35 --------- d-------- C:\Program Files\Google
2007-07-31 17:30 --------- d-------- C:\Program Files\Auran
2007-07-31 17:20 --------- d-------- C:\Program Files\MPLAB IDE
2007-07-31 17:16 --------- d-------- C:\Program Files\Documents To Go
2007-07-31 16:39 --------- d-------- C:\Program Files\Click'N Design 3D
2007-07-31 14:25 --------- d-------- C:\Program Files\Lavasoft
2007-07-31 13:19 --------- d-------- C:\Program Files\CodeQuickNT
2007-07-30 20:27 --------- d-------- C:\Program Files\Symantec
2007-06-13 16:29 --------- d-------- C:\DOCUME~1\Kimberly\APPLIC~1\Microsoft Games
2007-06-04 21:02 53248 --a------ C:\WINDOWS\PalmDevC.dll
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-03-14 20:12 359112 --a------ C:\Program Files\LimeWireWin.exe
2003-02-11 02:28 207758 --a------ C:\Program Files\INSTALL.LOG
2001-10-11 19:22 53248 --a------ C:\Program Files\ezStub.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07AA283A-43D7-4CBE-A064-32A21112D94D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16]
"nwiz "= "nwiz.exe" [2003-10-06 15:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-07-30 20:23]
"CoolSwitch "= "C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"AcctMgr "= "C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 14:41]
"rfagent "= "C:\Program Files\RFA\rfagent.exe" [2004-10-04 03:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

C:\Documents and Settings\Kimberly\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=C:\WINDOWS\system32\__c0038089.dat

R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
R2 WUSB54GPSVC;WUSB54GPSVC; "C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe" "WUSB54GP.exe "
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
R3 PRISM_A02;802.11a/g USB Driver;C:\WINDOWS\system32\DRIVERS\WUSB20XP.sys
R3 WinDriver6;Alohabob USB Bridge Cable Driver;C:\WINDOWS\system32\drivers\windrvr6.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\system32\DRIVERS\GcKernel.sys
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 IPFilter;Microsoft IntelliPoint Features driver;C:\WINDOWS\system32\DRIVERS\IPFilter.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 SDdriver;SDdriver;\??\C:\WINDOWS\system32\Drivers\sddriver.sys

Contents of the 'Scheduled Tasks' folder
2007-08-12 07:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job - C:\Program Files\AdwareAlert\AdwareAlert.exe
2007-08-11 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Jerry McDermand.job - C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe
2007-08-06 16:00:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
2007-08-12 20:45:51 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe
2007-08-12 16:49:38 C:\WINDOWS\Tasks\sunday computer scan.job
2007-08-12 04:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 19:39:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-12 19:41:36
C:\ComboFix-quarantined-files.txt ... 2007-08-12 19:40

--- E O F ---
and here is HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:18 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter\WUSB54GP.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\RFA\rfagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kimberly\Desktop\abc.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=.../xPJKCR7jDSCKZpypAyuQYr9orOgL3ufJ7e/LUzVmSFw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R3 - URLSearchHook: ScriptInocUI Class - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Zango /fleok=1D8A83A5C7E1167F99AD6C2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download2.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: Yahoo! Go Fish - http://download2.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download2.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4047/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.25/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0038089.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WUSB54GPSVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
O24 - Desktop Component 0: (no name) - http://apsc.disney.go.com/disneychannel/suitelife/downloads/twins_wallpaper/800x600-twins.jpg
O24 - Desktop Component 1: (no name) - http://zootycoon.com/NR/rdonlyres/2F9648AB-5007-4B89-A6B1-8754D61EFA8E/0/desktop_21_800600.jpg
O24 - Desktop Component 2: (no name) - http://www.virgin.net/music/wallpapers/images/greenday_thumb.jpg

--
End of file - 9640 bytes
thanks for the help

noahdfear · 2007/08/12

First, create a new folder on the desktop named HJT and move HijackThis.exe to that folder and run it from there. Scan with HijackThis and place a check next to the following entries, close all other windows and click Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...fJ7e/LUzVmSFw=
R3 - URLSearchHook: ScriptInocUI Class - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - (no file)
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/40...3/cpbrkpie.cab

Close HijackThis.

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
File::
C:\WINDOWS\SYSTEM32\__c00B27E9.dat
C:\WINDOWS\SYSTEM32\__c0038089.dat

Folder::
C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot
C:\Program Files\SpywareBot

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
 "appinit_dlls "=-
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log along with a fresh HijackThis log.

I'm a bit concerned about a couple of files.
C:\prpl_rmdll.bat
C:\delete.bat

Unless you know what they are, please right click on and select Edit, each of those files to open them with notepad. Copy the contents and post them back here.

cgul · 2007/08/12

OK, again thanks...

ComboFix 07-08-04.3 - "Kimberly" 2007-08-12 20:37:19.2 [GMT -4:00] - NTFS
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True
Command switches used :: C:\Documents and Settings\Kimberly\Desktop\CFScript.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot
C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot\Log\2007 Aug 12 - 03_53_14 PM_953.log
C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot\Log\2007 Aug 12 - 03_53_17 PM_390.log
C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot\Log\2007 Aug 12 - 04_45_51 PM_203.log
C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot\Settings\CustomScan.stg
C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot\Settings\IgnoreList.stg
C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot\Settings\ScanInfo.stg
C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot\Settings\SelectedFolders.stg
C:\DOCUME~1\JERRYM~1\APPLIC~1\SpywareBot\Settings\Settings.stg
C:\Program Files\SpywareBot
C:\Program Files\SpywareBot\Log\2007 Aug 12 - 03_53_21 PM.log
C:\Program Files\SpywareBot\Log\2007 Aug 12 - 04_45_54 PM.log
C:\WINDOWS\SYSTEM32\__c0038089.dat
C:\WINDOWS\SYSTEM32\__c00B27E9.dat

((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))

2007-08-12 19:29 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-04 17:08 <DIR> d-------- C:\Program Files\XoftSpySE
2007-08-04 16:56 <DIR> d-------- C:\Program Files\Wireless-G Portable USB Adapter
2007-08-04 16:52 <DIR> d-------- C:\DOCUME~1\JERRYM~1\APPLIC~1\GTek
2007-08-04 16:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Gtek
2007-08-04 16:37 106 --a------ C:\delete.bat
2007-08-04 16:32 <DIR> d-------- C:\VundoFix Backups
2007-08-04 16:09 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-04 13:05 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\Help
2007-07-31 20:13 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-31 19:57 2,166 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-07-31 19:56 <DIR> d-------- C:\DOCUME~1\JERRYM~1\SmitfraudFix
2007-07-31 17:10 <DIR> d-------- C:\DOCUME~1\JERRYM~1\APPLIC~1\Google
2007-07-31 14:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-31 14:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-31 13:40 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\AdwareAlert
2007-07-31 13:39 <DIR> d----c--- C:\WINDOWS\SYSTEM32\DRVSTORE
2007-07-31 13:39 <DIR> d-------- C:\Program Files\AdwareAlert
2007-07-30 17:25 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-07-14 21:23 <DIR> d-------- C:\Program Files\MySpace
2007-07-14 21:23 <DIR> d-------- C:\DOCUME~1\Kimberly\APPLIC~1\MySpace

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-12 17:39 --------- d-------- C:\Program Files\Microsoft Hardware
2007-08-12 16:10 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-12 16:10 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-12 16:07 --------- d-------- C:\Program Files\AWS
2007-08-12 12:49 --------- d-------- C:\Program Files\Norton SystemWorks
2007-08-10 06:32 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 16:56 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-04 13:07 --------- d-------- C:\Program Files\Managed DirectX (0900)
2007-07-31 23:25 --------- d-------- C:\Program Files\Microsoft Games
2007-07-31 17:56 --------- d-------- C:\Program Files\Chaos32
2007-07-31 17:51 --------- d-------- C:\Program Files\Sony Handheld
2007-07-31 17:35 --------- d-------- C:\Program Files\Google
2007-07-31 17:30 --------- d-------- C:\Program Files\Auran
2007-07-31 17:20 --------- d-------- C:\Program Files\MPLAB IDE
2007-07-31 17:16 --------- d-------- C:\Program Files\Documents To Go
2007-07-31 16:39 --------- d-------- C:\Program Files\Click'N Design 3D
2007-07-31 14:25 --------- d-------- C:\Program Files\Lavasoft
2007-07-31 13:19 --------- d-------- C:\Program Files\CodeQuickNT
2007-07-30 20:27 --------- d-------- C:\Program Files\Symantec
2007-06-13 16:29 --------- d-------- C:\DOCUME~1\Kimberly\APPLIC~1\Microsoft Games
2007-06-04 21:02 53248 --a------ C:\WINDOWS\PalmDevC.dll
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-03-14 20:12 359112 --a------ C:\Program Files\LimeWireWin.exe
2003-02-11 02:28 207758 --a------ C:\Program Files\INSTALL.LOG
2001-10-11 19:22 53248 --a------ C:\Program Files\ezStub.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07AA283A-43D7-4CBE-A064-32A21112D94D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "C:\WINDOWS\System32\NvCpl.dll" [2003-10-06 15:16]
"nwiz "= "nwiz.exe" [2003-10-06 15:16 C:\WINDOWS\SYSTEM32\nwiz.exe]
"Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-07-30 20:23]
"CoolSwitch "= "C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 17:30]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"AcctMgr "= "C:\Program Files\Norton Password Manager\AcctMgr.exe" [2004-08-18 14:41]
"rfagent "= "C:\Program Files\RFA\rfagent.exe" [2004-10-04 03:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

C:\Documents and Settings\Kimberly\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 11:00:00]

R2 TivoBeacon2;TiVo Beacon;C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
R2 WUSB54GPSVC;WUSB54GPSVC; "C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe" "WUSB54GP.exe "
R3 BCMModem;BCM V.92 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMSM.sys
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
R3 PRISM_A02;802.11a/g USB Driver;C:\WINDOWS\system32\DRIVERS\WUSB20XP.sys
R3 WinDriver6;Alohabob USB Bridge Cable Driver;C:\WINDOWS\system32\drivers\windrvr6.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 GcKernel;Microsoft SideWinder Value Add - Filter Driver;C:\WINDOWS\system32\DRIVERS\GcKernel.sys
S3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver;C:\WINDOWS\system32\DRIVERS\HIDSwvd.sys
S3 iAimFP0;iAimFP0;C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
S3 iAimFP1;iAimFP1;C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
S3 iAimFP2;iAimFP2;C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
S3 iAimFP3;iAimFP3;C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
S3 iAimFP4;iAimFP4;C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
S3 iAimTV0;iAimTV0;C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
S3 iAimTV1;iAimTV1;C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
S3 iAimTV2;iAimTV2;C:\WINDOWS\system32\DRIVERS\wATV03nt.sys
S3 iAimTV3;iAimTV3;C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
S3 iAimTV4;iAimTV4;C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
S3 IPFilter;Microsoft IntelliPoint Features driver;C:\WINDOWS\system32\DRIVERS\IPFilter.sys
S3 NMSCFG;NIC Management Service Configuration Driver;\??\C:\WINDOWS\System32\drivers\NMSCFG.SYS
S3 NMSSvc;Intel(R) NMS;C:\WINDOWS\System32\NMSSvc.exe
S3 PalmUSBD;PalmUSBD;C:\WINDOWS\system32\drivers\PalmUSBD.sys
S3 SDdriver;SDdriver;\??\C:\WINDOWS\system32\Drivers\sddriver.sys

Contents of the 'Scheduled Tasks' folder
2007-08-12 07:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job - C:\Program Files\AdwareAlert\AdwareAlert.exe
2007-08-11 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Jerry McDermand.job - C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe
2007-08-06 16:00:00 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job
2007-08-12 20:45:51 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe
2007-08-12 16:49:38 C:\WINDOWS\Tasks\sunday computer scan.job
2007-08-12 04:00:00 C:\WINDOWS\Tasks\Symantec Drmc.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-12 20:47:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\TEMP

scan completed successfully
hidden files: 1

**************************************************************************

Completion time: 2007-08-12 20:54:04 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-12 20:53
C:\ComboFix2.txt ... 2007-08-12 19:41

--- E O F ---
>>>>>>>>>>>>>>>>>>>>>>>>
HJT fIle

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:51 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter\WUSB54GP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\RFA\rfagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kimberly\Desktop\HJT\abc.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Zango /fleok=1D8A83A5C7E1167F99AD6C2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download2.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: Yahoo! Go Fish - http://download2.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download2.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.25/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WUSB54GPSVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
O24 - Desktop Component 0: (no name) - http://apsc.disney.go.com/disneychannel/suitelife/downloads/twins_wallpaper/800x600-twins.jpg
O24 - Desktop Component 1: (no name) - http://zootycoon.com/NR/rdonlyres/2F9648AB-5007-4B89-A6B1-8754D61EFA8E/0/desktop_21_800600.jpg
O24 - Desktop Component 2: (no name) - http://www.virgin.net/music/wallpapers/images/greenday_thumb.jpg

--
End of file - 8927 bytes
<<<<<<<<<<<<<<<<<<<<<<<<<<
Delete.bat content:

@ECHO OFF
del "%programfiles%\Adverts\uninst.exe" /Q > NUL 2> NUL
rmdir "%programfiles%\Adverts" > NUL

I accidently double clicked when I was selecting the other bat file prpl_rmdll.bat and it executed and disappeared (doh) not good

noahdfear · 2007/08/12

You should delete the following file as well.

C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job

That delete.bat actually looks helpful. Double click it and then delete it. Not good that the other disappeared. Wish I new what it did. It may be the source of the hidden file that turned up in your temp folder. We'll take care of that now too.

Delete all of the following tools we have used, and the files/folders they created.

C:\WINDOWS\nircmd.exe
C:\DOCUME~1\JERRYM~1\SmitfraudFix
C:\QOOBOX
C:\VundoFix Backups
vundofix.exe
combofix.exe
all combofix logs and scripts

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot.

Go to Add/Remove programs and uninstall all Java (JRE) listings, then download and install the latest version.

http://java.com/en/download/index.jsp

Then, I'd lie to get one more scan to make sure we haven't missed anything.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC now button

A new window will open...click the Check Now button

Enter your Country

Enter your State/Province

Enter your e-mail address and click send

Select either Home User or Company

Select the appropriate Yes or No to receiving marketing information

Click the Free Online Scan button

If it wants to install an ActiveX component allow it

It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)

When download is complete, click on My Computer to start the scan

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report along with a fresh HJT log.

Let me know how the computer is performing.

cgul · 2007/08/13

Dave,
Thanks
OK,
did everything down to the panda scan
for some reason panda scans to the same point then locks up and will not respond, task manager needed to end the process. did this 3 times
on one scan it did show that it had detected and removed a virus and is showing numerous spyware and 2 hacker tools!! but never gets to displaying a log file

Here is a fresh HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:48 PM, on 8/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter\WUSB54GP.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jerry McDermand\Desktop\HJT\abc.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mmjb.musicmatch.com/mmjb/process.cgi?REQUEST=HOME&VERSION=7.10.4053DELL&LANG=ENU&Grant=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: ScriptInocUI Class - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Zango /fleok=1D8A83A5C7E1167F99AD6C2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download2.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: Yahoo! Go Fish - http://download2.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download2.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.25/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WUSB54GPSVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe

--
End of file - 8715 bytes

noahdfear · 2007/08/13

Try the Kaspersky online scan

cgul · 2007/08/14

that one worked, reports 6 viruses and 10 infected
here is report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 14, 2007 4:48:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 14/08/2007
Kaspersky Anti-Virus database records: 381162
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 117387
Number of viruses found: 6
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 02:12:05

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Intuit\Setup\IPPS_Federal_Report.csv Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-08-14_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Kimberly\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kimberly\Incomplete\Preview-T-2403070-Top of Charts - 2003 (hungry).wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\Kimberly\Incomplete\Preview-T-3045752-01 Track 1 (kiss).wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\Kimberly\Incomplete\Preview-T-4335426-Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\Kimberly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kimberly\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kimberly\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Kimberly\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Kimberly\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kimberly\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kimberly\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\SWF Studio\GetURL.dll Object is locked skipped
C:\Program Files\Common Files\SWF Studio\Registry.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\ezStub.exe Infected: not-a-virus:AdWare.Win32.EZula.bc skipped
C:\Program Files\G4ILO\MorseTest\uninstall.exe Object is locked skipped
C:\Program Files\InstallShield Installation Information\{ADF98CF7-1458-412F-976F-BF761A26F2A0}\Setup.ilg Object is locked skipped
C:\Program Files\InstallShield Installation Information\{E5090856-6E87-4AE1-B6FE-DD4149CB097A}\setup.ilg Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18FC3983.ani Infected: Exploit.Win32.IMG-ANI.au skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1D1F3A8D Infected: not-a-virus:AdWare.Win32.Coupons skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\41840C65.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\41A53041.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\481C3E32.wm Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7D9E14C5.dll Infected: not-a-virus:AdWare.Win32.Comet.c skipped
C:\Program Files\Sony Handheld\McDermJ\HotSync.Log Object is locked skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
<<<<<<<
and here is a a HJT report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:52:41 PM, on 8/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
C:\Program Files\Wireless-G Portable USB Adapter\WUSB54GP.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\RFA\rfagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Kimberly\Desktop\HJT\abc.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Zango /fleok=1D8A83A5C7E1167F99AD6C2A1FBB39BFE4976E26CAEDA120180A196D6093 - {07AA283A-43D7-4CBE-A064-32A21112D94D} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [rfagent] C:\Program Files\RFA\rfagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZSYYYYYYYYUS
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Checkers - http://download2.games.yahoo.com/games/clients/y/kt4_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download2.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: Yahoo! Go Fish - http://download2.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: Yahoo! Tic-Tac-Toe - http://download2.games.yahoo.com/games/clients/y/ft3_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.25/ttinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WUSB54GPSVC - GEMTEKS - C:\Program Files\Wireless-G Portable USB Adapter\WLService.exe
O24 - Desktop Component 0: (no name) - http://apsc.disney.go.com/disneychannel/suitelife/downloads/twins_wallpaper/800x600-twins.jpg
O24 - Desktop Component 1: (no name) - http://zootycoon.com/NR/rdonlyres/2F9648AB-5007-4B89-A6B1-8754D61EFA8E/0/desktop_21_800600.jpg
O24 - Desktop Component 2: (no name) - http://www.virgin.net/music/wallpapers/images/greenday_thumb.jpg

--
End of file - 9374 bytes

Thanks again for the help Dave

noahdfear · 2007/08/15

Well good! Not too bad.

These infected items are incomplete Limewire downloads. Delete them.

C:\Documents and Settings\Kimberly\Incomplete\Preview-T-2403070-Top of Charts - 2003 (hungry).wma
C:\Documents and Settings\Kimberly\Incomplete\Preview-T-3045752-01 Track 1 (kiss).wma
C:\Documents and Settings\Kimberly\Incomplete\Preview-T-4335426-Eighties classic.wma

Limewire, along with many other p2p file sharing apps, are a good source for infections, and I recommend in general not to use them. Must keep in mind that with file sharing apps, you are establishing a direct connection to other people's computer, often many at a time. Many of those computers are seriously infected. The following files are related to the Limewire installation, so if you uninstall it, delete them if they're leftover when done.

C:\Program Files\LimeWireWin.exe
C:\Program Files\ezStub.exe

The other infected files are in Norton's quarantined folder, and can be removed through the Norton AV interface.

I believe we're otherwise done. You should clean out the System Restore points after completing the above and emptying the recycle bin.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Also, Geri has posted some very helpful information and recommendations regarding future protection.

http://www.windowsbbs.com/showpost.php?p=356653&postcount=49

cgul · 2007/08/15

Dave,
Super, thanks so much for your help, You are a life saver

JMc

noahdfear · 2007/08/15

You're most welcome. Glad I could help.

Log in or Sign up

Solved Pop up windows

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved Pop up windows

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

cgul Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches