WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

My log (from HijackThis)

Started by Dan Feather , Feb 13 2006 12:30 PM

This topic is locked

16 replies to this topic

#1 Dan Feather

New Member

New Member
9 posts

Posted 13 February 2006 - 12:30 PM

I appreciate any help you can give (to a first-time HijackThis user):

My log:

Logfile of HijackThis v1.99.1
Scan saved at 12:25:01 PM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Owner\Desktop\RemoveSpyware_HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adventureworks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\prefs.js)
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: iDisk Utility.lnk = ?
O4 - Startup: Launch TightVNC Server.lnk = C:\Program Files\TightVNC\WinVNC.exe
O4 - Startup: Shortcut to office-mgr-daily-notes.txt.lnk = Adventureworks_Documents\AW Business, OM Info\office-mgr-daily-notes.txt
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124114659375
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EA84C3D-39CF-4C31-B502-FA59B92A8741}: NameServer = 205.152.37.254,205.152.144.235
O18 - Filter: text/html - {8B28BB68-26A2-4151-B309-B4190EADE2FE} - C:\WINDOWS\System32\mfplay.dll
O18 - Filter: text/plain - {8B28BB68-26A2-4151-B309-B4190EADE2FE} - C:\WINDOWS\System32\mfplay.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Advertisements

Register to Remove

#2 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 16 February 2006 - 10:58 AM

Dan Feather,

Welcome to the Tom Coyote Forum. You have a few issues we need to address, but before we do we need to move HJT to its own permanant folder.

DO THIS FIRST
Your HIJACKTHIS program is current, but it is very important that it resides in its own folder.
We will use Hijackthis (HJT) to make changes to your system and HJT will make backups of those changes,
If HJT is not in its own folder, those backups could be lost.

Easy to fix,
* just go to MY COMPUTER > YOUR C:\ DRIVE and create a new folder and name it HIJACKTHIS .
* Now scroll to where you have HJT currently, right click on the HJT icon and select CUT .
* Now open the new folder you just created and right click within that folder and select PASTE .
* Now HJT should reside in C:\HIJACKTHIS\HIJACKTHIS.EXE

Post back with a new HJT log please.

Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#3 Dan Feather

New Member

New Member
9 posts

Posted 16 February 2006 - 12:50 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:38:21 PM, on 2/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adventureworks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\prefs.js)
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: iDisk Utility.lnk = ?
O4 - Startup: Launch TightVNC Server.lnk = C:\Program Files\TightVNC\WinVNC.exe
O4 - Startup: Shortcut to office-mgr-daily-notes.txt.lnk = Adventureworks_Documents\AW Business, OM Info\office-mgr-daily-notes.txt
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124114659375
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EA84C3D-39CF-4C31-B502-FA59B92A8741}: NameServer = 205.152.37.254,205.152.144.235
O18 - Filter: text/html - {8B28BB68-26A2-4151-B309-B4190EADE2FE} - C:\WINDOWS\System32\mfplay.dll
O18 - Filter: text/plain - {8B28BB68-26A2-4151-B309-B4190EADE2FE} - C:\WINDOWS\System32\mfplay.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 Dan Feather

New Member

New Member
9 posts

Posted 16 February 2006 - 12:58 PM

Ken, Thanks! I've moved the app, run it again, and posted the log to a "New Topic." It's "HJT Log - re-posting after advice from ken545" - dan

#5 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 16 February 2006 - 01:13 PM

Dan Feather,

I am looking over your log but you need to reply to this thread only by using the Reply button and not the New Topic button so we can be on the same page and both be notified when we reply.

Hijackthis is right where we want it :thumbup:

Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#6 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 16 February 2006 - 01:50 PM

Dan Feather,

Lets do this... I suggest you print this out as we will have to disconnect from the internet for part of the fix.

Look in your Add-Remove Programs in the Control Panel and remove these if there present, if there not dont worry about it.
C:\Program Files\Media Access
C:\Program Files\AutoUpdate

Download the Stand alone version of CWShredder to your desktop, but dont run it yet.

Download and install Ewido Anti-Malware
Ewido Anti-Malware
* Launch Ewido, there should be an icon on your desktop for it to double-click.
o Click on update
o You should see Update Complete when done.
o Now close out the program
Dont run it yet

SHOW HIDDEN FILES AND FOLDERS

* Click on MY COMPUTER
* Then on your C: Drive
* Then to TOOLS/ FOLDER OPTIONS/ VIEW
* Choose the radio button to SHOW HIDDEN FILES AND FOLDERS
* Take the checkmark out of HIDE EXTENSIONS FOR KNOWN FILE TYPES
* Then APPLY/ OK

* Don't forget to reverse this once your computer is clean

To Enter SAFEMODE

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD

Now run CWShreder Letting it remove everything it finds.

Now open Ewido
o Click on scanner.
o Run a full system scan
o Let the program scan the machine.
o While the scan is in progress you will be prompted to clean files, click OK.
o Select Perform action on all infections
o Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
o Click Save report.
o Save the report to your desktop.

Open HJT Scan Only , close all open windows, the only window you should have open is HJT, put a checkmark in the following entries and click on Fix Checked.

* R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

* O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com

* O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)

* O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe

* O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"

* O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

* O18 - Filter: text/html - {8B28BB68-26A2-4151-B309-B4190EADE2FE} - C:\WINDOWS\System32\mfplay.dll

* O18 - Filter: text/plain - {8B28BB68-26A2-4151-B309-B4190EADE2FE} - C:\WINDOWS\System32\mfplay.dll

Now while in Safemode, look for and delete the files and folders i have in Red Dont be alarmed if you cant find any of them, the scans may have deleted them.

C:\Program Files\Media Access
C:\Program Files\AutoUpdate
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\System32\mfplay.dll

Reboot normally

Download and Install CCleaner

* Click on Run Cleaner
* Run the Issues Scan < When it asks you to backup the Registry..Say Yes

Here is a Tutorial for CCleaner
http://www.ccleaner.com/help/tour1.asp

Now post the log from Ewido ( I need to see it so I can determine if there is anything hidden on your system that we cant see) . And a new HJT log please by using the Reply Button.

Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#7 Dan Feather

New Member

New Member
9 posts

Posted 16 February 2006 - 01:52 PM

OK. You indicated you're looking over the log. Should I go ahead and post it here as well, so this thread will contain all the 'crumbs?'

#8 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 16 February 2006 - 01:56 PM

Dan, I posted the fix above, just follow all the instuctions and post back when done. I merged the other post into this thread so dont look for it, its all in here, everything that we need. Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#9 Dan Feather

New Member

New Member
9 posts

Posted 17 February 2006 - 01:16 PM

Ken, In the list of things you say to remove, you include: * O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com I regularly mount an iDisk with this machine. I presume I will be able to again, even after deleting these, right? - dan

#10 Dan Feather

New Member

New Member
9 posts

Posted 17 February 2006 - 02:03 PM

OK. I've followed the remaining steps. Here is the ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:58:06 PM, 2/17/2006
+ Report-Checksum: F8C3A22C

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher.1 -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\SearchRelevancy -> Adware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\Classes\SearchRelevancy\CLSID -> Adware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\eXactUtil -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate -> Adware.Apropos : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search Relevancy -> Adware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Adware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Adware.SearchRelevancy : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT -> Adware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Security -> Adware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Enum -> Adware.NaviSearch : Cleaned with backup
HKU\S-1-5-21-3584733210-2136011524-1831234153-1003\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-3584733210-2136011524-1831234153-1003\Software\IST -> Adware.ISTBar : Cleaned with backup
HKU\S-1-5-21-3584733210-2136011524-1831234153-1003\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-3584733210-2136011524-1831234153-1003\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\96fmu8mm.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\96fmu8mm.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\96fmu8mm.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\96fmu8mm.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\96fmu8mm.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\96fmu8mm.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Euniverseads : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@c7.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/exdl.exe -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/mqexdlm.srg -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/exul.exe -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\netut80ex.vxd/C:/WINDOWS/System32/javexulm.vxd -> Adware.BargainBuddy : Cleaned with backup

::Report End

. . . and the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:53:41 PM, on 2/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adventureworks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\prefs.js)
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: iDisk Utility.lnk = ?
O4 - Startup: Launch TightVNC Server.lnk = C:\Program Files\TightVNC\WinVNC.exe
O4 - Startup: Shortcut to office-mgr-daily-notes.txt.lnk = Adventureworks_Documents\AW Business, OM Info\office-mgr-daily-notes.txt
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124114659375
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EA84C3D-39CF-4C31-B502-FA59B92A8741}: NameServer = 205.152.37.254,205.152.144.235
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks!

- dan

Advertisements

Register to Remove

#11 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 17 February 2006 - 02:44 PM

Hello Dan, All the malware that I had you remove is gone :thumbup:

There are bits and pieces on your log that I am not sure of. As far as the 01 iDisk entry, before I have someone remove it I do research on it and found that it was removed by the majority of moderators in different forums and in different logs. But, just let it be if you feel uncomfortabe removing it, Iam going to research it further along with a couple of other entries and will be back to you as soon as I can. How is your system running now that we removed a bunch of bad stuff?? Ken

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#12 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 17 February 2006 - 03:14 PM

Dan,

Your log looks clean but would like to know if your ISP uses a proxy server? This is the entry I am concerned about, we can reset the hosts files with a program if you wish, if you think everything is ok we can leave well enough alone. This entry looks like it may be left over from some previous Adware.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,

How is everything running? Are you being redirected anywhere?

Ken

Edited by ken545, 17 February 2006 - 03:46 PM.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#13 Dan Feather

New Member

New Member
9 posts

Posted 21 February 2006 - 04:33 PM

Ken wrote: > Your log looks clean but would like to know if your ISP uses a proxy server? > This is the entry I am concerned about, we can reset the hosts files with a > program if you wish, if you think everything is ok we can leave well enough > alone. This entry looks like it may be left over from some previous Adware. > > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet > Settings,ProxyOverride = local., > > > How is everything running? Are you being redirected anywhere? Well, I've just used it a little bit, but a few things: * don't know about 'proxy server' from ISP, but I DO have a static IP assigned by my ISP. Would that entail a proxy server? * I just launched my browser (Firefox) and was immediately notified by Norton Internet Security (which is up to date) that there was an "intrusion attempt" . . . which happened again when I navigated to another page (and these at a safe site -- my bank's secure site where they swear there are no popups or ads). The intrusions were both from adchannel.contextplus.net . . . These seem to accompany many of the sites I navigate to, though not all. And the intrusion is, so far, always the same domain. I get them too when I browse with MSIE. . . . Clues? Thanks so much! - dan

#14 ken545

Forum God

Retired Classroom Teacher
23,225 posts

Interests:Fighting Malware and cooking some great Italian and TexMex food

Posted 21 February 2006 - 06:39 PM

Hello Again Dan,

Lets do this, this could be the root of your problem. I looked through your Ewido log and found this, it could be a possible Rootkit infection that loads on your system before the operating system loads and goes undetected. If it is present, this tool will clean it.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix © Swandog46 from here:
Aproposfix

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log,
along with the entire contents of the log.txt file in the aproposfix folder.

Ken

Edited by ken545, 21 February 2006 - 06:43 PM.

The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.

Find us on Facebook
Please LIKE and SHARE

Just a reminder that threads will be closed if no reply in 3 days.

#15 Dan Feather

New Member

New Member
9 posts

Posted 22 February 2006 - 01:46 PM

Dear Ken,

Thanks for hanging in there! It's hard to believe WindowsXP would allow something to write itself into a pre-OS-boot position, but that's apparently what happened. After following your last instructions, I surfed a while with Firefox and MSIE and have no more alerts from Norton. Hurray!

Here's the logs you requested:

Log of AproposFix v1.1

************

Running from directory:
C:\Documents and Settings\Owner\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CpPO9AAsMW9D]
@="sFH98t.cddcdded:FKDKQUcddcsfd8y:t084dUaUVGOjidFTKXGTUdOQWONQCFeUaU"
"Device"="\\\\.\\Ndibios"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\moumload.sys"
"DriverName"="CdfXWDM"
"HideUninstallerName"="C:\\Program Files\\Uniiends\\cartmler.exe"
"HDll"="C:\\WINDOWS\\system32\\panvclnt.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="WB.OLD"
"InstallationId"="{H99b1ebf-fcf3-7e0c-3ab2-b8ed46fcbba9}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Uniiends\\tftsd11n.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\asfduser.exe"
"Version"="2.0.131"
"LastAURestoreMsgTS"="2006:02:16-21:42:12:718"

************

Removing hidden service:
Service CdfXWDM removed.

Removing hidden folder:
Deletion of folder Uniiends succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\moumload.sys succeeded!
Deletion of file C:\WINDOWS\system32\asfduser.exe succeeded!
Deletion of file C:\WINDOWS\system32\panvclnt.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CpPO9AAsMW9D]
[-HKEY_LOCAL_MACHINE\Software\CpPO9AAsMW9D]

Done!

Finished!
===============

and HJT:

Logfile of HijackThis v1.99.1
Scan saved at 12:05:46 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\.Mac Utilities\iDisk Utility for Windows\iDisk Utility for Windows.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://adventureworks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\ex7mvmtp.slt\prefs.js)
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Startup: iDisk Utility.lnk = ?
O4 - Startup: Launch TightVNC Server.lnk = C:\Program Files\TightVNC\WinVNC.exe
O4 - Startup: Shortcut to office-mgr-daily-notes.txt.lnk = Adventureworks_Documents\AW Business, OM Info\office-mgr-daily-notes.txt
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124114659375
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EA84C3D-39CF-4C31-B502-FA59B92A8741}: NameServer = 205.152.37.254,205.152.144.235
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

=======

Thanks again!

- dan

Body Background

skin color theme