Sluggish Computer with PopUps

My log file is below: Thanks!
Logfile of HijackThis v1.99.1
Scan saved at 6:40:14 PM, on 7/14/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rpkjah.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rpkjah.exe reg_run
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://ctx.jmfamily.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://performancetrac.jmfefinancial.com/reports/ss/viewers/activeXViewer/activexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB49BDAE-5D47-4AFB-B70B-38D5547DCEA0}: NameServer = 198.77.116.8
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\MPVCRT40.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

You have a baddie there.

Ewido has been updated to version 3.5 If you don't have it yet, please uninstall yours and download, install and update. Reboot to safe mode.

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections "
  • If you are unsure of any entry found select none for now.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Back in Windows, run Panda ActiveScan and save the report. Post back with a new HijackThis log, Ewido log and ActiveScan report.

 

Ewido Scan report

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:55:11 AM, 7/16/2005
+ Report-Checksum: BEBC7510

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_0\Level_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_1\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_1\Level_0\Seqn_5648 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_1\Level_0\Seqn_6660 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_1\Level_0\Seqn_6661 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_1\Level_0\Seqn_7954 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_2 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor\Adwr_291\Loct_2\Level_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor Services -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor Services\Queue -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor Services\Status -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-776561741-842925246-1389519059-500\Software\Cydoor Services\Status\cd_htm -> Spyware.Cydoor : Cleaned with backup
C:\WINDOWS\SYSTEM\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\olmanage.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mtdart.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\dset.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\SYSTEM32\puckm.dll -> TrojanDownloader.Qoologic.q : Cleaned with backup
C:\WINDOWS\SYSTEM32\mlc42.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mscndmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\ikclass.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\drgest.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\jbarnp.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\SYSTEM32\fsst30.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\smesrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\zrpixob.dll -> TrojanDownloader.Qoologic.q : Cleaned with backup
C:\WINDOWS\SYSTEM32\dmcpcsvc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\rkched20.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\urnp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mtimsg.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mexml3a.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\ocfox32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\shcpack.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mforcl32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\wpw32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mjc42.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mmvfw32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\wtpdxm.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mutlsapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\ukib.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mruni11.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\kpdhu.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\kfdkaz.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\ghdef.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mwrecr40.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\DAMSSOCN.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\iy50_qc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\sntupwbv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\dkghelp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\fmsui.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\gydef.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\nwmsmgr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\MPVCRT40.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\pjcLL.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\Igrdy.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\ltfax10N.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\fksst.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\ranh.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\AUVIEW32.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\MRT2FW95.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\wυaclt.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\SYSTEM32\DlngParser.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\nhxpnt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\MKVBVM60.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\gxkcsp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\Lgkodak.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\wF2time.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\wIvemsp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\dfcpsapi.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mvrecr40.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\pzcLL.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\AGDCXC32.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\lIprxy.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\DqngParser.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\cposys.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\SNntf16.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\inm32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\wuavusd.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\ie50_32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mnrt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mpjint40.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\kudcan.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\khdhu1.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mdmefilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mzisip.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\MNIMTF.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\kfdhe220.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\rpkjah.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\TEMP\upd207.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\TEMP\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\TEMP\upd208.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\ru.exe -> Spyware.PurityScan : Cleaned with backup
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll -> Spyware.Comet : Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nidk.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Documents and Settings\Customer\Local Settings\Temp\Cookies\customer@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Customer\Local Settings\Temp\Cookies\customer@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Customer\Local Settings\Temp\Cookies\customer@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Customer\Local Settings\Temp\Cookies\customer@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Customer\Local Settings\Temp\Cookies\customer@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@tradedoubler[2].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@247realmedia[2].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Customer\Cookies\customer@ehg-idg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\ix36vbkl.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Customer\Application Data\Mozilla\Profiles\default\5jysv2mh.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Customer\Application Data\Mozilla\Profiles\default\5jysv2mh.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Customer\Application Data\Mozilla\Profiles\default\5jysv2mh.slt\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Jo Jo\Cookies\jo jo@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\OXUBGLIZ\swk_videos[2].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\OXUBGLIZ\psycho_kid[2].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SXWHEN49\re-mix[2].htm -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@adopt.specificclick[3].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\David\Cookies\david@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\HJT\backups\backup-20050706-154533-858.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Recycled\NPROTECT\00028750.dll -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00028805.dll -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00031440.dll -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00031444.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\Recycled\NPROTECT\00031445.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\Recycled\NPROTECT\00031446.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\Recycled\NPROTECT\00031447.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\Recycled\NPROTECT\00028562.exe -> Spyware.PurityScan : Cleaned with backup
C:\Recycled\NPROTECT\00028564.dll -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00029144.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00029191.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Recycled\NPROTECT\00029328.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00029446.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Recycled\NPROTECT\00029448.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Recycled\NPROTECT\00029674.dll -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00029728.dll -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00029859.dll -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00030094.dll -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\NPROTECT\00030128.dll -> Spyware.Look2Me : Cleaned with backup
C:\Recycled\Dc425\dset.exe -> Spyware.PurityScan : Cleaned with backup
C:\Recycled\Dc398.exe -> Spyware.PurityScan : Cleaned with backup
C:\Recycled\Dc399.com -> TrojanDropper.Agent.pb : Cleaned with backup

 

Panda Active Scan Rreport

Incident Status Location

Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G52BKD6J\!update-2164[1].0000
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KBOFA7ON\!update-2154[1].0000
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8RWLIFBI\!update-2114[1].0000
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8RWLIFBI\!update-2134[1].0000
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GYULYUZC\!update-2174[1].0000
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\SYSTEM32\pkqau.dat
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\dhfgskw.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\datadx.dll
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\SYSTEM32\jadna.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\TEMP\cassetup.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\Customer\Local Settings\Temp\temp.frA2C6
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\Customer\Local Settings\Temp\temp.fr40ED
Virus:Trj/Downloader.CYL No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[Table of Contents.hhc]
Adware:Adware/XPlugin No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[file.exe]
Adware:Adware/MSSearch No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[q.htm]
Possible Virus. No disinfected C:\HJT\backups\backup-20050706-154534-168.dll
Thank you so much for your help

 

Several things to do here, so we'll take it one thing at a time.

Please download L2mfix

http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread. Please post a new HijackThis log as well.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder unless you are asked to do so!

 

LM2MFIX Log

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous "=dword:00000000
"DllName "=" "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout]
"Asynchronous "=dword:00000000
"DllName "= "C:\\WINDOWS\\system32\\wywfaxui.dll "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{94F9C5D3-6BD7-30E1-1D0B-D33EAB3D4A20} "=" "

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046} "= "Multimedia File Property Sheet "
"{176d6597-26d3-11d1-b350-080036a75b03} "= "ICM Scanner Management "
"{1F2E5C40-9550-11CE-99D2-00AA006E086C} "= "NTFS Security Page "
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32} "= "OLE Docfile Property Page "
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6} "= "Shell extensions for sharing "
"{41E300E0-78B6-11ce-849B-444553540000} "= "PlusPack CPL Extension "
"{42071712-76d4-11d1-8b24-00a0c9068ff3} "= "Display Adapter CPL Extension "
"{42071713-76d4-11d1-8b24-00a0c9068ff3} "= "Display Monitor CPL Extension "
"{42071714-76d4-11d1-8b24-00a0c9068ff3} "= "Display Panning CPL Extension "
"{4E40F770-369C-11d0-8922-00A024AB2DBB} "= "DS Security Page "
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} "= "Compatibility Page "
"{56117100-C0CD-101B-81E2-00AA004AE837} "= "Shell Scrap DataHandler "
"{59099400-57FF-11CE-BD94-0020AF85B590} "= "Disk Copy Extension "
"{59be4990-f85c-11ce-aff7-00aa003ca9f6} "= "Shell extensions for Microsoft Windows Network objects "
"{5DB2625A-54DF-11D0-B6C4-0800091AA605} "= "ICM Monitor Management "
"{675F097E-4C4D-11D0-B6C1-0800091AA605} "= "ICM Printer Management "
"{764BF0E1-F219-11ce-972D-00AA00A14F56} "= "Shell extensions for file compression "
"{77597368-7b15-11d0-a0c2-080036af3f03} "= "Web Printer Shell Extension "
"{7988B573-EC89-11cf-9C00-00AA00A14F56} "= "Disk Quota UI "
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} "= "Encryption Context Menu "
"{85BBD920-42A0-1069-A2E4-08002B30309D} "= "Briefcase "
"{88895560-9AA2-1069-930E-00AA0030EBC8} "= "HyperTerminal Icon Ext "
"{BD84B380-8CA2-1069-AB1D-08000948F534} "= "Fonts "
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27} "= "ICC Profile "
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723} "= "Printers Security Page "
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} "= "Shell extensions for sharing "
"{f92e8c40-3d33-11d2-b1aa-080036a75b03} "= "Display TroubleShoot CPL Extension "
"{7444C717-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto PKO Extension "
"{7444C719-39BF-11D1-8CD9-00C04FC29D45} "= "Crypto Sign Extension "
"{7007ACC7-3202-11D1-AAD2-00805FC1270E} "= "Network Connections "
"{992CFFA0-F557-101A-88EC-00DD010CCC48} "= "Network Connections "
"{E211B736-43FD-11D1-9EFB-0000F8757FCD} "= "Scanners & Cameras "
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD} "= "Scanners & Cameras "
"{905667aa-acd6-11d2-8080-00805f6596d2} "= "Scanners & Cameras "
"{3F953603-1008-4f6e-A73A-04AAC7A992F1} "= "Scanners & Cameras "
"{83bbcbf3-b28a-4919-a5aa-73027445d672} "= "Scanners & Cameras "
"{F0152790-D56E-4445-850E-4F3117DB740C} "= "Remote Sessions CPL Extension "
"{60254CA5-953B-11CF-8C96-00AA00B8708C} "= "Shell extensions for Windows Script Host "
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829} "= "Microsoft Data Link "
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Icon Handler "
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF} "= "Tasks Folder Shell Extension "
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF} "= "Scheduled Tasks "
"{0DF44EAA-FF21-4412-828E-260A8728E7F1} "= "Taskbar and Start Menu "
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0} "= "Search "
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} "= "Help and Support "
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0} "= "Run... "
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0} "= "Internet "
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0} "= "E-mail "
"{D20EA4E1-3957-11d2-A40B-0C5020524152} "= "Fonts "
"{D20EA4E1-3957-11d2-A40B-0C5020524153} "= "Administrative Tools "
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} "= "Audio Media Properties Handler "
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} "= "Video Media Properties Handler "
"{E4B29F9D-D390-480b-92FD-7DDB47101D71} "= "Wav Properties Handler "
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E} "= "Avi Properties Handler "
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9} "= "Midi Properties Handler "
"{c5a40261-cd64-4ccf-84cb-c394da41d590} "= "Video Thumbnail Extractor "
"{5E6AB780-7743-11CF-A12B-00AA004AE837} "= "Microsoft Internet Toolbar "
"{22BF0C20-6DA7-11D0-B373-00A0C9034938} "= "Download Status "
"{91EA3F8B-C99B-11d0-9815-00C04FD91972} "= "Augmented Shell Folder "
"{6413BA2C-B461-11d1-A18A-080036B11A03} "= "Augmented Shell Folder 2 "
"{F61FFEC1-754F-11d0-80CA-00AA005B4383} "= "BandProxy "
"{7BA4C742-9E81-11CF-99D3-00AA004AE837} "= "Microsoft BrowserBand "
"{30D02401-6A81-11d0-8274-00C04FD5AE38} "= "Search Band "
"{32683183-48a0-441b-a342-7c2a440a9478} "= "Media Band "
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13} "= "In-pane search "
"{07798131-AF23-11d1-9111-00A0C98BA67D} "= "Web Search "
"{AF4F6510-F982-11d0-8595-00AA004CD6D8} "= "Registry Tree Options Utility "
"{01E04581-4EEE-11d0-BFE9-00AA005B4383} "= "&Address "
"{A08C11D2-A228-11d0-825B-00AA005B4383} "= "Address EditBox "
"{00BB2763-6A77-11D0-A535-00C04FD7D062} "= "Microsoft AutoComplete "
"{7376D660-C583-11d0-A3A5-00C04FD706EC} "= "TridentImageExtractor "
"{6756A641-DE71-11d0-831B-00AA005B4383} "= "MRU AutoComplete List "
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A} "= "Custom MRU AutoCompleted List "
"{7e653215-fa25-46bd-a339-34a2790f3cb7} "= "Accessible "
"{acf35015-526e-4230-9596-becbe19f0ac9} "= "Track Popup Bar "
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2} "= "Address Bar Parser "
"{00BB2764-6A77-11D0-A535-00C04FD7D062} "= "Microsoft History AutoComplete List "
"{03C036F1-A186-11D0-824A-00AA005B4383} "= "Microsoft Shell Folder AutoComplete List "
"{00BB2765-6A77-11D0-A535-00C04FD7D062} "= "Microsoft Multiple AutoComplete List Container "
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1} "= "Shell Band Site Menu "
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF} "= "Shell DeskBarApp "
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1} "= "Shell DeskBar "
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1} "= "Shell Rebar BandSite "
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C} "= "User Assist "
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11} "= "Global Folder Settings "
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E} "= "Favorites Band "
"{0A89A860-D7B1-11CE-8350-444553540000} "= "Shell Automation Inproc Service "
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} "= "Shell DocObject Viewer "
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61} "= "Microsoft Browser Architecture "
"{FBF23B40-E3F0-101B-8488-00AA003E56F8} "= "InternetShortcut "
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE} "= "Microsoft Url History Service "
"{FF393560-C2A7-11CF-BFF4-444553540000} "= "History "
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933} "= "Temporary Internet Files "
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497} "= "Microsoft Url Search Hook "
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC} "= "IE4 Suite Splash Screen "
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13} "= "CDF Extension Copy Hook "
"{131A6951-7F78-11D0-A979-00C04FD705A2} "= "ISFBand OC "
"{9461b922-3c5a-11d2-bf8b-00c04fb93661} "= "Search Assistant OC "
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} "= "The Internet "
"{871C5380-42A0-1069-A2EA-08002B30309D} "= "Internet Name Space "
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E} "= "Explorer Band "
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE} "= "Sendmail service "
"{88C6C381-2E85-11D0-94DE-444553540000} "= "ActiveX Cache Folder "
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED} "= "WebCheck "
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE} "= "Subscription Mgr "
"{F5175861-2688-11d0-9C5E-00AA00A45957} "= "Subscription Folder "
"{08165EA0-E946-11CF-9C87-00AA005127ED} "= "WebCheckWebCrawler "
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB} "= "WebCheckChannelAgent "
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7} "= "TrayAgent "
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02} "= "Code Download Agent "
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE} "= "ConnectionAgent "
"{D8BD2030-6FC9-11D0-864F-00AA006809D9} "= "PostAgent "
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB} "= "WebCheck SyncMgr Handler "
"{352EC2B7-8B9A-11D1-B8AE-006008059382} "= "Shell Application Manager "
"{0B124F8F-91F0-11D1-B8B5-006008059382} "= "Installed Apps Enumerator "
"{CFCCC7A0-A282-11D1-9082-006008059382} "= "Darwin App Publisher "
"{e84fda7c-1d6a-45f6-b725-cb260c236066} "= "Shell Image Verbs "
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178} "= "Shell Image Data Factory "
"{3F30C968-480A-4C6C-862D-EFC0897BB84B} "= "GDI+ file thumbnail extractor "
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC} "= "Summary Info Thumbnail handler (DOCFILES) "
"{EAB841A0-9550-11cf-8C16-00805F1408F3} "= "HTML Thumbnail Extractor "
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe} "= "Shell Image Property Handler "
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D} "= "Web Publishing Wizard "
"{add36aa8-751a-4579-a266-d66f5202ccbb} "= "Print Ordering via the Web "
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1} "= "Shell Publishing Wizard Object "
"{58f1f272-9240-4f51-b6d4-fd63d1618591} "= "Get a Passport Wizard "
"{7A9D77BD-5403-11d2-8785-2E0420524153} "= "User Accounts "
"{BD472F60-27FA-11cf-B8B4-444553540000} "= "Compressed (zipped) Folder Right Drag Handler "
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062} "= "Compressed (zipped) Folder SendTo Target "
"{63da6ec0-2e98-11cf-8d82-444553540000} "= "FTP Folders Webview "
"{883373C3-BF89-11D1-BE35-080036B11A03} "= "Microsoft DocProp Shell Ext "
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D} "= "Microsoft DocProp Inplace Edit Box Control "
"{8EE97210-FD1F-4B19-91DA-67914005F020} "= "Microsoft DocProp Inplace ML Edit Box Control "
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB} "= "Microsoft DocProp Inplace Droplist Combo Control "
"{6A205B57-2567-4A2C-B881-F787FAB579A3} "= "Microsoft DocProp Inplace Calendar Control "
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33} "= "Microsoft DocProp Inplace Time Control "
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB} "= "Directory Query UI "
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86} "= "Shell properties for a DS object "
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB} "= "Directory Object Find "
"{F020E586-5264-11d1-A532-0000F8757D7E} "= "Directory Start/Search Find "
"{0D45D530-764B-11d0-A1CA-00AA00C16E65} "= "Directory Property UI "
"{62AE1F9A-126A-11D0-A14B-0800361B1103} "= "Directory Context Menu Verbs "
"{ECF03A33-103D-11d2-854D-006008059367} "= "MyDocs Copy Hook "
"{ECF03A32-103D-11d2-854D-006008059367} "= "MyDocs Drop Target "
"{4a7ded0a-ad25-11d0-98a8-0800361b1103} "= "MyDocs Properties "
"{750fdf0e-2a26-11d1-a3ea-080036587f03} "= "Offline Files Menu "
"{10CFC467-4392-11d2-8DB4-00C04FA31A66} "= "Offline Files Folder Options "
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E} "= "Offline Files Folder "
"{143A62C8-C33B-11D1-84FE-00C04FA34A14} "= "Microsoft Agent Character Property Sheet Handler "
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6} "= "DfsShell "
"{60fd46de-f830-4894-a628-6fa81bc0190d} "= "%DESC_PublishDropTarget% "
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717} "= "MMC Icon Handler "
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262} "= ".CAB file viewer "
"{32714800-2E5F-11d0-8B85-00AA0044F941} "= "For &People... "
"{8DD448E6-C188-4aed-AF92-44956194EB1F} "= "Windows Media Player Play as Playlist Context Menu Handler "
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C} "= "Windows Media Player Burn Audio CD Context Menu Handler "
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD} "= "Windows Media Player Add to Playlist Context Menu Handler "
"{568804CA-CBD7-11d0-9816-00C04FD91972} "= "Menu Shell Folder "
"{5b4dae26-b807-11d0-9815-00c04fd91972} "= "Menu Band "
"{8278F931-2A3E-11d2-838F-00C04FD918D0} "= "Tracking Shell Menu "
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972} "= "Menu Site "
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1} "= "Menu Desk Bar "
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2} "= "IShellFolderBand "
"{0E5CBF21-D15F-11d0-8301-00AA005B4383} "= "&Links "
"{7487cd30-f71a-11d0-9ea7-00805f714772} "= "Thumbnail Image "
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC} "= "Thumbnails "
"{7D688A77-C613-11D0-999B-00C04FD655E1} "= "SlowFile Icon Overlay "
"{6C47FB97-4B7B-11D3-A9BA-00C04FA3624C} "= "Reflection FTP Neighborhood "
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} "= "Shell Extensions for RealOne Player "
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F} "= "Web Folders "
"{0006F045-0000-0000-C000-000000000046} "= "Microsoft Outlook Custom Icon Handler "
"{5a61f7a0-cde1-11cf-9113-00aa00425c62} "= "IIS Shell Extension "
"{e57ce731-33e8-4c51-8354-bb4de9d215d1} "= "Universal Plug and Play Devices "
"{A58686ED-FC46-44C3-95C6-4A812AB776F1} "= "NetFerret IE Toolbar "
"{fe7634c0-f7b3-11cf-b9b4-444553540000} "= "NetFerret "
"{A4DF5659-0801-4A60-9607-1C48695EFDA9} "= "Share-to-Web Upload Folder "
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433} "= "Channel File "
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434} "= "Channel Shortcut "
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435} "= "Channel Handler Object "
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437} "= "Channel Menu "
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438} "= "Channel Properties "
"{C14F7681-33D8-11D3-A09B-00500402F30B} "= "AvxShellEx "
"{E0D79304-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79305-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79306-84BE-11CE-9641-444553540000} "= "WinZip "
"{E0D79307-84BE-11CE-9641-444553540000} "= "WinZip "
"{B5FB6487-7E79-4816-B73B-8A65E41971DA} "= "BullGuard Antivirus v4 "
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED} "= "Auto Update Property Sheet Extension "
"{5464D816-CF16-4784-B9F3-75C0DB52B499} "= "Yahoo! Mail "
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} "= "iTunes "
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639} "= "SpySubtract Shell Extension "
"{63542C48-9552-494A-84F7-73AA6A7C99C1} "= "OpenOffice Property Sheet Handler "
"{76530261-D526-436A-8CAC-750EA8AB44F6} "=" "
"{E4A0B18C-99AC-4B4C-804B-3271ADCF617E} "=" "
"{CB1BEFAE-B160-4417-BFB0-B37D769DC69D} "=" "
"{64F42CCB-C3E8-4228-9FF0-6F49FFD2238E} "=" "
"{3DD69B82-E2BE-4A8A-A7A5-5DBC9EF563BB} "=" "
"{82F1ED11-CE08-4297-A959-B9783AC9968D} "=" "

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{76530261-D526-436A-8CAC-750EA8AB44F6}]
@=" "
"IDEx "= "ST "

[HKEY_CLASSES_ROOT\CLSID\{76530261-D526-436A-8CAC-750EA8AB44F6}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{76530261-D526-436A-8CAC-750EA8AB44F6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{76530261-D526-436A-8CAC-750EA8AB44F6}\InprocServer32]
@= "C:\\WINDOWS\\system32\\DlngParser.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{E4A0B18C-99AC-4B4C-804B-3271ADCF617E}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{E4A0B18C-99AC-4B4C-804B-3271ADCF617E}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{E4A0B18C-99AC-4B4C-804B-3271ADCF617E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{E4A0B18C-99AC-4B4C-804B-3271ADCF617E}\InprocServer32]
@= "C:\\WINDOWS\\system32\\DqngParser.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{CB1BEFAE-B160-4417-BFB0-B37D769DC69D}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{CB1BEFAE-B160-4417-BFB0-B37D769DC69D}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{CB1BEFAE-B160-4417-BFB0-B37D769DC69D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{CB1BEFAE-B160-4417-BFB0-B37D769DC69D}\InprocServer32]
@= "C:\\WINDOWS\\system32\\drgest.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{64F42CCB-C3E8-4228-9FF0-6F49FFD2238E}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{64F42CCB-C3E8-4228-9FF0-6F49FFD2238E}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{64F42CCB-C3E8-4228-9FF0-6F49FFD2238E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{64F42CCB-C3E8-4228-9FF0-6F49FFD2238E}\InprocServer32]
@= "C:\\WINDOWS\\system32\\mutlsapi.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3DD69B82-E2BE-4A8A-A7A5-5DBC9EF563BB}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{3DD69B82-E2BE-4A8A-A7A5-5DBC9EF563BB}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{3DD69B82-E2BE-4A8A-A7A5-5DBC9EF563BB}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{3DD69B82-E2BE-4A8A-A7A5-5DBC9EF563BB}\InprocServer32]
@= "C:\\WINDOWS\\system32\\riutetab.dll "
"ThreadingModel "= "Apartment "

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{82F1ED11-CE08-4297-A959-B9783AC9968D}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{82F1ED11-CE08-4297-A959-B9783AC9968D}\Implemented Categories]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{82F1ED11-CE08-4297-A959-B9783AC9968D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=" "

[HKEY_CLASSES_ROOT\CLSID\{82F1ED11-CE08-4297-A959-B9783AC9968D}\InprocServer32]
@= "C:\\WINDOWS\\system32\\fsst30.dll "
"ThreadingModel "= "Apartment "

**********************************************************************************
Files Found are not all bad files:
**********************************************************************************
Directory Listing of system files:
Volume in drive C is DISK1PART01
Volume Serial Number is 66E1-4093

Directory of C:\WINDOWS\System32

07/16/2005 06:46 PM 417,792 riutetab.dll
07/15/2005 01:42 PM 417,792 wywfaxui.dll
07/07/2005 08:16 PM 417,792 guard.tmp
10/18/2002 12:26 AM <DIR> Microsoft
10/17/2002 11:42 PM <DIR> dllcache
08/23/2001 12:00 PM 995,383 mfc42.dll
08/23/2001 12:00 PM 50,688 MSVCIRT.DLL
08/23/2001 12:00 PM 106,496 OLEPRO32.DLL
08/23/2001 12:00 PM 322,560 msvcrt.dll
08/23/2001 12:00 PM 401,462 msvcp60.dll
08/23/2001 12:00 PM 9,728 REGSVR32.EXE
09/30/1999 07:21 PM 166,672 mstext35.dll
09/28/1999 09:42 PM 1,050,896 msjet35.dll
09/09/1999 10:06 PM 252,688 msexcl35.dll
09/09/1999 10:06 PM 168,720 msltus35.dll
08/25/1999 02:57 PM 415,504 msrepl35.dll
06/07/1999 06:59 PM 250,128 mspdox35.dll
04/25/1999 05:00 PM 287,504 Msxbse35.dll
01/22/1998 05:05 AM 6,144 access.ctl
17 File(s) 5,737,949 bytes
2 Dir(s) 23,550,033,920 bytes free

 

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 6:58:41 PM, on 7/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jbarnp.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://ctx.jmfamily.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://performancetrac.jmfefinancial.com/reports/ss/viewers/activeXViewer/activexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB49BDAE-5D47-4AFB-B70B-38D5547DCEA0}: NameServer = 198.77.116.8
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\wywfaxui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thx for the help!

 

Great!

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

 

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Customer\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators "
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Customer\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Customer\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2044 'explorer.exe'
Killing PID 2044 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 876 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\riutetab.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\riutetab.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wywfaxui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wywfaxui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\riutetab.dll
Successfully Deleted: C:\WINDOWS\system32\riutetab.dll
deleting: C:\WINDOWS\system32\riutetab.dll
Successfully Deleted: C:\WINDOWS\system32\riutetab.dll
deleting: C:\WINDOWS\system32\wywfaxui.dll
Successfully Deleted: C:\WINDOWS\system32\wywfaxui.dll
deleting: C:\WINDOWS\system32\wywfaxui.dll
Successfully Deleted: C:\WINDOWS\system32\wywfaxui.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: riutetab.dll (deflated 48%)
adding: wywfaxui.dll (deflated 48%)
adding: guard.tmp (deflated 48%)
adding: echo.reg (deflated 10%)
adding: clear.reg (deflated 58%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 64%)
adding: lo2.txt (deflated 78%)
adding: test2.txt (deflated 39%)
adding: test3.txt (deflated 39%)
adding: test5.txt (deflated 39%)
adding: test.txt (deflated 73%)
adding: xfind.txt (deflated 70%)
adding: backregs/shell.reg (deflated 73%)
adding: backregs/76530261-D526-436A-8CAC-750EA8AB44F6.reg (deflated 69%)
adding: backregs/E4A0B18C-99AC-4B4C-804B-3271ADCF617E.reg (deflated 70%)
adding: backregs/CB1BEFAE-B160-4417-BFB0-B37D769DC69D.reg (deflated 71%)
adding: backregs/64F42CCB-C3E8-4228-9FF0-6F49FFD2238E.reg (deflated 70%)
adding: backregs/3DD69B82-E2BE-4A8A-A7A5-5DBC9EF563BB.reg (deflated 70%)
adding: backregs/82F1ED11-CE08-4297-A959-B9783AC9968D.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators "
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: riutetab.dll
deleting local copy: riutetab.dll
deleting local copy: wywfaxui.dll
deleting local copy: wywfaxui.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous "=dword:00000000
"DllName "=" "
"Impersonate "=dword:00000000
"Logon "= "WinLogon "
"Logoff "= "WinLogoff "
"Shutdown "= "WinShutdown "


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\riutetab.dll
C:\WINDOWS\system32\riutetab.dll
C:\WINDOWS\system32\wywfaxui.dll
C:\WINDOWS\system32\wywfaxui.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{76530261-D526-436A-8CAC-750EA8AB44F6} "=-
"{E4A0B18C-99AC-4B4C-804B-3271ADCF617E} "=-
"{CB1BEFAE-B160-4417-BFB0-B37D769DC69D} "=-
"{64F42CCB-C3E8-4228-9FF0-6F49FFD2238E} "=-
"{3DD69B82-E2BE-4A8A-A7A5-5DBC9EF563BB} "=-
"{82F1ED11-CE08-4297-A959-B9783AC9968D} "=-
[-HKEY_CLASSES_ROOT\CLSID\{76530261-D526-436A-8CAC-750EA8AB44F6}]
[-HKEY_CLASSES_ROOT\CLSID\{E4A0B18C-99AC-4B4C-804B-3271ADCF617E}]
[-HKEY_CLASSES_ROOT\CLSID\{CB1BEFAE-B160-4417-BFB0-B37D769DC69D}]
[-HKEY_CLASSES_ROOT\CLSID\{64F42CCB-C3E8-4228-9FF0-6F49FFD2238E}]
[-HKEY_CLASSES_ROOT\CLSID\{3DD69B82-E2BE-4A8A-A7A5-5DBC9EF563BB}]
[-HKEY_CLASSES_ROOT\CLSID\{82F1ED11-CE08-4297-A959-B9783AC9968D}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************


 

New HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 8:11:59 PM, on 7/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\Msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jbarnp.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://ctx.jmfamily.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://performancetrac.jmfefinancial.com/reports/ss/viewers/activeXViewer/activexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB49BDAE-5D47-4AFB-B70B-38D5547DCEA0}: NameServer = 198.77.116.8
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thx Again!

 

Fix this line with HJT.

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jbarnp.exe reg_run

Copy the contents of the quote box below to a blank notepad. Make sure the formatting remains the same.
Close it, saving to your desktop as:

File name: clean.bat
Save As Type: All Files

Copy the contents of the code box below to a blank notepad. Make sure the formatting remains the same.
Close it, saving to your desktop as:

File name: delAlt.reg
Save As Type: All Files

Code:

REGEDIT4

[-HKLM\SOFTWARE\Altnet\Dashboard\Messages]
[-HKLM\SOFTWARE\Altnet\Dashboard]
[-HKLM\SOFTWARE\Altnet]

Copy the following command to text and save as AltExp.txt

regedit /e c:\Altnet.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Altnet "

Reboot to safe mode, logon to the Administrator account, double click the clean.bat and allow it to complete.

Double click the delAlt.reg file and allow it to merge with the registry.

Open C:\Windows\Prefetch, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Temp if present, select all and delete.
Open My Computer, right click Local Disk C: and select properties, then disk cleanup. Check all boxes except 'compress old files' and click OK. Allow it to complete.

Log out and log onto your user account (still in safe mode). Run Disk cleanup.

Reboot back into Windows, open the AltExp.txt and copy the command. Click Start>run and paste the command, then hit enter.

Scan again with Panda ActiveScan. Please post a new HJT log and the Panda report, as well as the contents of Altnet.txt file located in C:

 

New Logs

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]
"SharedMediaDir "= "C:\\Program Files\\Kazaa\\My Shared Folder "

[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]
"PMversion "=dword:000003e8
Logfile of HijackThis v1.99.1
Scan saved at 9:10:02 AM, on 7/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Outlook Express\Msimn.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\OPScan.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref( "aim.session.firsttime ", false);
user_pref( "browser.activation.checkedNNFlag ", true);
user_pref( "browser.bookmarks.added_static_root ", true);
user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src ");
user_pref( "browser.startup.homepage ", "yahoo.com ");
user_pref( "browser.startup.homepage_override.mstone ", "rv:1.7.2 ");
user_pref( "dom.disable_open_during_load ", true);
user_pref( "intl.charsetmenu.browser.cache ", "UTF-8, ISO-8859-1 ");
user_pref( "network.cookie.prefsMigrated ", true);
user_pref( "prefs.converted-to-utf8 ", true);
user_pref( "privacy.popups.first_popup ", false);
u
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htm
O8 - Extra context menu item: &Encyclopedia - http://files.db3nf.com/scripts/ie-e.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://ctx.jmfamily.com/Citrix/ICAWEB/en/ica32/wficac.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.com/app/ST/ActiveX.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://performancetrac.jmfefinancial.com/reports/ss/viewers/activeXViewer/activexviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB49BDAE-5D47-4AFB-B70B-38D5547DCEA0}: NameServer = 198.77.116.8
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Incident Status Location

Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G52BKD6J\!update-2164[1].0000
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KBOFA7ON\!update-2154[1].0000
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8RWLIFBI\!update-2114[1].0000
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8RWLIFBI\!update-2134[1].0000
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GYULYUZC\!update-2174[1].0000
Adware:Adware/Look2Me No disinfected C:\WINDOWS\SYSTEM32\guard.tmp
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\SYSTEM32\pkqau.dat
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\dhfgskw.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\datadx.dll
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\SYSTEM32\jadna.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\WINDOWS\TEMP\cassetup.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casmf.dll
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\casclient.exe
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Cas\Client\Uninstall.exe
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\Customer\Local Settings\Temp\temp.frA2C6
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\Customer\Local Settings\Temp\temp.fr40ED
Virus:Trj/Downloader.CYL No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[Table of Contents.hhc]
Adware:Adware/XPlugin No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[file.exe]
Adware:Adware/MSSearch No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[q.htm]
Possible Virus. No disinfected C:\HJT\backups\backup-20050706-154534-168.dll

 

Your log looks good, but it appears you posted the first ActiveScan report. Please delete and run ActiveScan again, then post the report.

Are you comfortable editing the registry?

 

Editing Registry

Yes, I am ok with editing registry. I will post new active scan with next post.
Thx!

 

New Panda ActiveScan

Here is my new Panda ActiveScan. I comfortable editing registry. Thanks for the help!

Incident Status Location

Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\datadx.dll
Possible Virus. No disinfected C:\WINDOWS\SYSTEM32\__delete_on_reboot__datadx.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.inf
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Customer\Desktop\l2mfix\backup.zip[riutetab.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Customer\Desktop\l2mfix\backup.zip[wywfaxui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Customer\Desktop\l2mfix\backup.zip[guard.tmp]
Virus:Trj/Downloader.CYL No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[Table of Contents.hhc]
Adware:Adware/XPlugin No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[file.exe]
Adware:Adware/MSSearch No disinfected C:\Documents and Settings\D&D'S\Local Settings\Temporary Internet Files\Content.IE5\RLQIS925\126[1].chm[q.htm]
Possible Virus. No disinfected C:\HJT\backups\backup-20050706-154534-168.dll

 

I had hoped that datadx.dll was gone. Since it's not, lets go after it first.

Download WinPFind, saving it to the desktop. Right click and extract to a folder on the desktop.

Download Track qoo, saving it to the desktop also.

Reboot into Safe Mode

Open the WinPFind folder and doubleclick WinPFind.exe

• Click "Start Scan "
• It will scan the entire System, so please be patient!

Reboot back to Normal Mode.

Double Click on "Track qoo.vbs "

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up. Post those results and the contents of the WinPFind.txt located in the WinPFind folder.

 

Trackgoo

I can't seem to locate the download trackgoo when I click on it.

 

Umm, do you mean that the download does not start when you click the link, or that you get the download, but then can't find it?

 

Trackgoo

When I click on the link trackgoo that you posted it takes to a page geeks to go, but I don't see anything on the page where trackgoo is located.

 

Try this link.

Trackqoo.zip