I keep getting WinAntiSpyware, DriveCleaner, SystemDoctor or some such web page popping up.

I've run Lavasoft Ad-Aware (mostly cleaned MRU, nothing out of the ordinary), Spybot S&D (nothing), and Symantec Antivirus (only Gamespy Arcade, which came with the game BF2). I restarted the machine between all of the above.

I try to keep Windows XP updated and security settings on (although recently, it looked like the firewall had been turned off). And I use Firefox 1.5.0.7 (will upgrade to 2.0 soon).

Here is my HijackThis log.



Any suggestions?

Welcome to the forum

Please do this:

Rename:

C:\Documents and Settings\Nicholas\Desktop\HijackThis\HijackThis.exe

To:

C:\Documents and Settings\Nicholas\Desktop\HijackThis\showme.exe

Reboot, run it, and post a new log file into this thread.

I believe you have an infection that hides from HijackThis!

If so, this process will show anything hiding so we can see what we're dealing with.

Please do not put the log in a "Quote" nor a "Code" box. That just makes it more difficult to work with.

Ok, I renamed HijackThis to showme and re-ran it. Here is the new log *not* in a code tag.

Logfile of HijackThis v1.99.1
Scan saved at 10:28:55 AM, on 11/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RTDCPL.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nicholas\Desktop\showme.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127255129953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Looks like I fibbed....


Nothing new has shown up....


Let's go this route.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
This program is for XP and Windows 2000 only

Don't run it yet.

Download and install the 30 day trial of AVG Anti-Spyware 7.5 to your desktop.

• Once you have downloaded AVG Anti-Spyware 7.5, locate the icon on the desktop and double-click it to launch the set up program.
• Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
• On the main screen select the icon Update then select the Update now link.
• Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
• Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
• Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
• Under Reports
• Select Automatically generate report after every scan
• Un-Select Only if threats were found
• Close AVG Anti-Spyware 7.5 <-- Do not run the scan yet.

Boot your computer into Safemode

• Go to Start> Shut Off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
• This will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to SAFEMODE
• Then press the Enter on your Keyboard

Tutorial if you need it How to boot into Safemode

Once in Safe Mode:

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All.
Click the Empty Selected button.
Close the program.

IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process:

• Launch AVG Anti-Spyware 7.5 by double-clicking the icon on your desktop.
• Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
• AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
• Once the scan is complete do the following:
• If you have any infections you will prompted, then select Apply all actions
• Next select the Reports icon at the top.
• Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
• make sure to remember where you saved that file, this is important
• Close AVG Anti-Spyware 7.5

Boot normally.

Post:

1. A new HijackThis! log.

2. The report from AVG Anti-Spyware.

AVG found a virus called Downloader.ayy

Here is the HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:03:33 PM, on 11/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RTDCPL.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Nicholas\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127255129953
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



---------------------------------

And here is the AVG Report; the cookies found are from my gf's account. ATF didn't clean them, I guess.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:00:08 PM 11/1/2006

+ Scan result:



C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Common Files\Symantec Shared\ccApp.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Dell\Media Experience\DMXLauncher.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\QuickTime\qttask.exe -> Downloader.Agent.ayy : No action taken.
C:\Program Files\iTunes\iTunesHelper.exe -> Downloader.Agent.ayy : No action taken.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP268\A0054282.exe -> Downloader.Agent.ayy : No action taken.
C:\WINDOWS\system32\dla\tfswctrl.exe -> Downloader.Agent.ayy : No action taken.
C:\WINDOWS\system32\nvraidservice.exe -> Downloader.Agent.ayy : No action taken.
C:\WINDOWS\Downloaded Program Files\gsda.dll -> Not-A-Virus.Downloader.Win32.SpyGame : No action taken.
:mozilla.10:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.14:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.153:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.165:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.52:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.6:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.327:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.273:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.274:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.275:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.33:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.34:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.295:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.296:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.297:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.355:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Burstbeacon : No action taken.
:mozilla.356:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.55:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.66:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.27:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.328:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.329:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.195:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.196:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.204:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.303:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.29:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.30:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.31:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.32:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.206:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.222:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
:mozilla.84:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.239:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.240:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.241:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.242:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.28:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Specificclick : No action taken.
:mozilla.247:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.249:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.250:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.251:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.252:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.254:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.255:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.258:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.283:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.284:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.285:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.276:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.277:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.278:C:\Documents and Settings\Kelly\Application Data\Mozilla\Firefox\Profiles\5ngn4fwd.default\cookies.txt -> TrackingCookie.Zedo : No action taken.


::Report end

Please click HERE select Save. Save FindAWF to your desktop.

Double Click FindAWF.exe and let it run, it will create the file awf.txt on your desktop when finished.

Open awf.txt in notepad, and copy/paste it's contents into your next post.

Are you still getting any WinAntiSpyware, DriveCleaner, or SystemDoctor pop-ups?

I haven't used my computer much since the files were quarantined, but I think all of the popups have stopped. Thanks again for your help.

Here is the AWF log:


Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

06/14/2006 03:24 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/11/2006 10:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
07/22/2005 04:02 PM 126,464 nvraidservice.exe
2 File(s) 141,824 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/09/2004 07:31 PM 66,680 ccApp.exe
1 File(s) 66,680 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

02/23/2005 04:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

01/27/2005 01:02 AM 86,016 DMXLauncher.exe
1 File(s) 86,016 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

05/31/2005 04:33 AM 122,941 tfswctrl.exe
1 File(s) 122,941 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

07/27/2004 04:50 PM 81,920 issch.exe
07/27/2004 04:50 PM 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003 05:48 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/06/2005 11:46 PM 57,344 apdproxy.exe
1 File(s) 57,344 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

36465208 Apr 30 2006 "C:\Documents and Settings\Kelly\Desktop\iTunesSetup.exe"
278528 Jun 14 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
274433 Oct 11 2005 "C:\WINDOWS\Downloaded Installations\{13616DE2-9795-4910-8C93-80D45AF09658}\iTunesSetup.exe"
274433 Dec 21 2005 "C:\WINDOWS\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\iTunesSetup.exe"
274433 Jun 19 2006 "C:\WINDOWS\Downloaded Installations\{54C0D94A-F467-4ABC-9D02-6E58748668D4}\iTunesSetup.exe"
274433 Feb 23 2006 "C:\WINDOWS\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\iTunesSetup.exe"
274433 Oct 18 2005 "C:\WINDOWS\Downloaded Installations\{872653C6-5DDC-488B-B7C2-CF9E4D9335E5}\iTunesSetup.exe"
37518744 Aug 17 2006 "C:\Documents and Settings\Nicholas\Desktop\installation files\iTunesSetup.exe"
282624 Sep 11 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
283136 Jul 22 2005 "C:\WINDOWS\system32\NvRaidMan.exe"
126464 Jul 22 2005 "C:\WINDOWS\system32\bak\nvraidservice.exe"
66680 Jun 9 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
86016 Jan 27 2005 "C:\Program Files\Dell\Media Experience\bak\DMXLauncher.exe"
122941 May 31 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 May 31 2005 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
57344 Jun 6 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"


end of report

Thank you for choosing TomCoyote for your malware removal solutions.

M68

Please read:
Securing Your PC After An Attack

Rico Saltarello,

Are you still monitoring this thread?


I have a request from someone to convey.

Yes, I'm still monitoring this thread. Thanks for your help so far.

I have a request for you to upload the files in your AVG Anti-Spyware quarantine folder.

Do you still have them?


I believe the ones they are most interested in are these:



All the ones that said "Downloader.Agent.ayy" are of interest.

Are they still in the quarantine folder?

If so, can you post the "full path name" to the quarantine folder?


Probably something like this:

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\quarantine

But I'm just guessing.

This topic is now closed.

If you need this topic reopened, please request this by sending an email to us at the following link
(Click for address)
Include your post user name and detail why you need it reopened with a valid link to your post.
Any bad links or emails that are not from the original poster will be deleted without response.
Any emails without the subject "Reopen" will be deleted without being looked at.

If this is not your thread please start a New Topic.