13 replies to this topic

[a_dim_wit]

I got help from this site like a week ago and all the spyware and other carp** that was deleted came back. When i run the scanners and delete the spyware it will all comeback the very next day. Just today i started getting pop-up ads and that window that asks if i want to download winfixer. A Mcafee Securty Center was also installed onto my computer without me knowing. This spyware also really screws with my internet connection. Some times it won't connnect at all or it will only stay connected for less then an hour. Please help. Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 2:59:34 PM, on 11/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\Documents and Settings\Tonia\Favorites\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Hijack This\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Documents and Settings\Tonia\Favorites\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: @Home - {2BF1D1A7-5E21-4B1B-9FF2-B895EF933D15} - http://home.excite.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37390.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[ken545]

a_dim_wit,

Welcome back to the forum.

Where did you get this program from ???
C:\Program Files\DefenderPro AntiSpy

I cant find any info on it and it is being flagged as a bad program. Is it something that you downloaded randomly?? Please post back and let me know what you know about it.

I am waiting on iformation about it and will be back to your soon.

Ken

[ken545]

a_dim_wit,

These two lines in your HJT log show that you downloaded possibly a online scan from mcafee. This may explain the Mcafee security center. Mcafee is a reputable company and they would not install software without your consent. These two entries in your log are legitimate and there something you downloaded.

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab


As far as this program, the verdict is out on this one.
C:\Program Files\DefenderPro AntiSpy


I need more information from you in order to help you, outside of this program, your log is clean and shows no signs of a virus or malware.

1. Where did you download it from?
2. Was it part of another program that you downloaded. ?
3. Did you download it willingly or did it just show up on your system?
4. What do all the pop ups say, where do they want to take you, to what web address?
5. Can you provide me with a link to the site that you downloaded this program from?

Please try to answer the above questions the best you can with as much detail as possible.

Ken

Edited by ken545, 01 December 2005 - 12:20 PM.

[a_dim_wit]

The McAfee Security Center was downloaded onto my computer without my knowledge. The Defender Pro AntiSpy was purchased from WalMart and it was working really well. Defender Pro was on one CD and it had an anti-spyware program and a firewall. I reported some spyware through the program because it wasn't detecting it. I got an e-mail a few days later that told me to download a newer version. Here's the e-mail.

Dear Sir/Madam,

Please download the new setup from the link given below. Install the new setup and update the Antispy Signature Definition and run a scan.
www.omniquad.com/totalsecurity/dpas.zip



Also enable the HomePage Shield (found in Settings Dialog) and the Popup blocker (Found in Options Window) so that you can safeguard your homepage and block the ad pop ups.



Still if you have any problem please getback to us.

Best Regards,
Karthik S

----- Original Message -----
From: DPASUser@omniquad.com
To: Karthik S
Sent: Friday, August 05, 2005 7:25 AM
Subject: [spywarereports] Spyware Reported from DPAS User


Name: Justin
Email: krazygato007@yahoo.com
CompanyName: omniquad
Lastupdate: Defender Pro anti-spyware and firewall / version 1.1/ august 2, 1005
Version: Defender Pro
OS: XP
Service:
Homepagechanged: No
urlHomePageChangedto:
GettingPopups: Yes
urlAdvertised: ad.yieldmanager.com
DialupConnectionCreated: No
connectioName:
numberDialled:
SearchHijacked: Yes
urlHijacked: www.oemji,com
OperatingSystem: XP/
urlMoreInfo1: ad.marketplace.net adopt.hotbar.com ads.clickagents.com www.ads345.com t.traffic.com
cmdSubmit: Report Spyware



I downloaded from the link and i got another version of Defender Pro. It scans and deletes spyware but when i used to have "BHO Demon" installed on my computer it detected Defender Pro as hazardous or something.

[ken545]

a_dim_wit,

I am getting so many mixed results on that program. Let me ask you this, did your problems start when you installed it or did they start a good time after?? I think at this time I will assume that because LDtate left it alone that it is ok.

You can run HJT Scan Only and put a checkmark in these two lines, close your browser and all open windows and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Lets download and install the 14 day trial of Spysweeper.

Download the trial version of Spy Sweeper from Here
Note: On that page, in the Spy Sweeper section, click the link for "Free Trial", NOT the link for "Free Spyware Scan".
Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.


Reboot your computer

Lets also run a couple of online virus scanners and see if they come up with anything.

Trendmicro Housecall
BitDefender Online Scan

When done, post the log from Spysweeper along with a new HJT log please.

[a_dim_wit]

Logfile of HijackThis v1.99.1
Scan saved at 12:52:44 AM, on 12/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\DefenderPro AntiSpy\DPASNT.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Documents and Settings\Tonia\Favorites\Messenger\ymsgr_tray.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DefenderPro AntiSpy\AntiSpy\TSAntiSpy.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Hijack This\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: OsbornTech Popup Blocker - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [DPAS] "C:\Program Files\DefenderPro AntiSpy\DPASNT.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Documents and Settings\Tonia\Favorites\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: @Home - {2BF1D1A7-5E21-4B1B-9FF2-B895EF933D15} - http://home.excite.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37390.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe







********
9:27 PM: | Start of Session, Friday, December 02, 2005 |
9:27 PM: Spy Sweeper started
9:27 PM: Sweep initiated using definitions version 556
9:27 PM: Starting Memory Sweep
9:30 PM: Memory Sweep Complete, Elapsed Time: 00:02:55
9:30 PM: Starting Registry Sweep
9:30 PM: Found Adware: web dialect toolbar
9:30 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{c68ae9c0-0909-4ddc-b661-c1afb9f5ae53}\ (1 subtraces) (ID = 146237)
9:31 PM: Found Adware: adcom
9:31 PM: HKCR\clsid\{83ec9074-6cba-43e8-b7e0-6a3809c4a958}\ (12 subtraces) (ID = 861285)
9:31 PM: HKCR\clsid\{93f764ac-24d1-484f-92ea-3c84e31cdf72}\ (12 subtraces) (ID = 861315)
9:31 PM: HKCR\clsid\{d360501e-dc73-4de6-a61c-21925aed7835}\ (12 subtraces) (ID = 861344)
9:31 PM: HKCR\clsid\{f9668ada-fc6b-47f4-8381-de861dba5115}\ (12 subtraces) (ID = 861407)
9:31 PM: HKLM\software\classes\clsid\{83ec9074-6cba-43e8-b7e0-6a3809c4a958}\ (12 subtraces) (ID = 861629)
9:31 PM: HKLM\software\classes\clsid\{93f764ac-24d1-484f-92ea-3c84e31cdf72}\ (12 subtraces) (ID = 861659)
9:31 PM: HKLM\software\classes\clsid\{d360501e-dc73-4de6-a61c-21925aed7835}\ (12 subtraces) (ID = 861688)
9:31 PM: HKLM\software\classes\clsid\{f9668ada-fc6b-47f4-8381-de861dba5115}\ (12 subtraces) (ID = 861751)
9:31 PM: Registry Sweep Complete, Elapsed Time:00:00:56
9:31 PM: Starting Cookie Sweep
9:31 PM: Found Spy Cookie: web-stat cookie
9:31 PM: justin@www.web-stat[1].txt (ID = 3649)
9:31 PM: Found Spy Cookie: apmebf cookie
9:31 PM: michael@apmebf[2].txt (ID = 2229)
9:31 PM: Found Spy Cookie: qksrv cookie
9:31 PM: michael@qksrv[2].txt (ID = 3213)
9:31 PM: Found Spy Cookie: 2o7.net cookie
9:31 PM: tony@2o7[1].txt (ID = 1957)
9:31 PM: Found Spy Cookie: advertising cookie
9:31 PM: tony@advertising[2].txt (ID = 2175)
9:31 PM: Found Spy Cookie: atlas dmt cookie
9:31 PM: tony@atdmt[2].txt (ID = 2253)
9:31 PM: Found Spy Cookie: atwola cookie
9:31 PM: tony@atwola[1].txt (ID = 2255)
9:31 PM: Found Spy Cookie: centrport net cookie
9:31 PM: tony@centrport[1].txt (ID = 2374)
9:31 PM: Found Spy Cookie: classmates cookie
9:31 PM: tony@classmates[1].txt (ID = 2384)
9:31 PM: Found Spy Cookie: coremetrics cookie
9:31 PM: tony@data.coremetrics[1].txt (ID = 2472)
9:31 PM: tony@msnportal.112.2o7[1].txt (ID = 1958)
9:31 PM: Found Spy Cookie: questionmarket cookie
9:31 PM: tony@questionmarket[1].txt (ID = 3217)
9:31 PM: Found Spy Cookie: tribalfusion cookie
9:31 PM: tony@tribalfusion[1].txt (ID = 3589)
9:31 PM: Cookie Sweep Complete, Elapsed Time: 00:00:05
9:31 PM: Starting File Sweep
9:57 PM: Found Adware: apropos
9:57 PM: wingenerics.dll (ID = 50187)
10:10 PM: File Sweep Complete, Elapsed Time: 00:38:38
10:10 PM: Full Sweep has completed. Elapsed time 00:42:47
10:10 PM: Traces Found: 120
10:11 PM: Removal process initiated
10:11 PM: Quarantining All Traces: adcom
10:11 PM: Quarantining All Traces: apropos
10:11 PM: Quarantining All Traces: web dialect toolbar
10:11 PM: Quarantining All Traces: 2o7.net cookie
10:11 PM: Quarantining All Traces: advertising cookie
10:11 PM: Quarantining All Traces: apmebf cookie
10:11 PM: Quarantining All Traces: atlas dmt cookie
10:11 PM: Quarantining All Traces: atwola cookie
10:11 PM: Quarantining All Traces: centrport net cookie
10:11 PM: Quarantining All Traces: classmates cookie
10:11 PM: Quarantining All Traces: coremetrics cookie
10:11 PM: Quarantining All Traces: qksrv cookie
10:11 PM: Quarantining All Traces: questionmarket cookie
10:11 PM: Quarantining All Traces: tribalfusion cookie
10:11 PM: Quarantining All Traces: web-stat cookie
10:11 PM: Removal process completed. Elapsed time 00:00:03
********
9:26 PM: | Start of Session, Friday, December 02, 2005 |
9:26 PM: Spy Sweeper started
9:27 PM: | End of Session, Friday, December 02, 2005 |

[ken545]

Good Morning,

It looks like you may still have part of an Rootkit infection , so I would like to have you run the tool to get rid of it. So do this... Follow the instructions to the letter or it won't work.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

I want to thank Swandog46 for this excellent fix.
Please download AproposFix © Swandog46 from here:
Aproposfix

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and save the log, I will need to have you paste it into your next post.


Now download and run this program, it will clean up all the bits and pieces we may have missed.

Please download ewido security suite it is a free version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

This next program will clean out all your temp files where parts of the infection could still be lurking.

Download and Install CCleaner


* Click on Run Cleaner
* Run the Issues Scan < When it asks you to backup the Registry..Say Yes

Please post the log from AproposFix, the log from Ewido and a new HJT log please, and hopefully this will be the end of it.

[a_dim_wit]

Log of AproposFix v1

************

Running from directory:
D:\Program Files\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!




---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:28:05 PM, 12/16/2005
+ Report-Checksum: 74E5D775

+ Scan result:

C:\Documents and Settings\Justin\Cookies\justin@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Michael\Cookies\michael@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@ehg-nokiafin.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@marthastewart.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Tony\Cookies\tony@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup


::Report End




Logfile of HijackThis v1.99.1
Scan saved at 11:05:18 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Documents and Settings\Tonia\Favorites\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Hijack This\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Documents and Settings\Tonia\Favorites\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: @Home - {2BF1D1A7-5E21-4B1B-9FF2-B895EF933D15} - http://home.excite.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37390.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[ken545]

Good Morning

Outside of these two lines I dont see anything bad on your system. Run HJT Scan Only and try removing them again. There not system critical, more clutter than anything else.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


Are you still having issues ? I am going to have you set up these two excellent programs. There both free and highly respected by the people in the Malware community. You have Spybot Search and Destroy installed already, just make sure its the latest version 1.4, if not you can download the new version via the links in my signature, along with Ad-Aware SE Personal 1.06. Here are the setup instructions for both programs. Run both programs as I have in my set up.

Please use the links in my signature to download and install both of the following free programs.

Spybot Search and Destroy 1.4

* If you have the older version 1.3, remove it via ADD-REMOVE PROGRAMS in the Control Panel.

Go to Start/ Control Panel/ Add-Remove Programs scroll to that program and click on Remove.

* During Installation, just follow all the defaults.
* Go to Mode and click on Advanced Mode
* Then to Updates Search for Updates
* If you get a Bad Checksum Error, just choose a different download location.
* Then to Settings/ File Sets and take the checkmark out of Usage Tracks
* Then to Tools/ Hosts Files click on Add Spybot S&D Hosts Files.
* Then to Tools/ IE Tweeks and put a checkmark in Lock the Hosts Files
* Then to Immunize. Up at the top by the GREEN SIGN, click on Immunize.
* Then to Search and Destroy/ Check for Problems
* Let it scan your system
* Then to Fix Problems and fix all it finds.

RE-BOOT your computer.



AD-AWARE SE PERSONAL 1.06

If you have an older version of Ad-Aware, no need to uninstall it, it will prompt you to uninstall it during
the set up process

* During installation, follow all the defaults.
* Start the program and Check for Updates
* Choose Perform a Full System Scan
* Take the checkmark out of Search for Negligable Files
* Run the scan
* When it is done, Right Click on One of the Entries/ Select All/ Next and let it remove all that if finds.



Your Java is seriously out of date, you can get the updates from Sun Microsystems HERE

Scroll to the middle of the page and download Download JRE 5.0 Update 6

After it is installed, you can VERIFY the installtion.

Run those two programs, update Java and post a new log and let me know how your computer is running now.

Ken

[a_dim_wit]

Computer is running a lot better than before.

Logfile of HijackThis v1.99.1
Scan saved at 1:01:02 PM, on 12/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Documents and Settings\Tonia\Favorites\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Hijack This\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.excite.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Documents and Settings\Tonia\Favorites\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: @Home - {2BF1D1A7-5E21-4B1B-9FF2-B895EF933D15} - http://home.excite.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.com/
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zone...canner37390.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,26/mcgdmgr.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[ken545]

a_dim_wit,

It looks like one of the scans removed Defender Pro, or did you remove it on your own. That program fell right in the middle of the gray area anyway. Not needed. You are bettter off with the free programs that we recommend. Anytime you get a pop up telling you that your infected to click her for a free scan, DONT DO IT. This Defender Pro has been a real nuisence. You can look in Start> All Programs and see if it is still there. If it doesen't work, then remove it from the Add-Remove Programs in the Control Panel.


Run HJT Scan Only and fix these two entries.

O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll

Outside of that your log looks good .

Here are some free programs and tips for keeping your system up to date, and to help keep all the riff raff out of your system.

* Download and Install CCleaner, Click on RUN TOOL,

Now that your clean, we need to erase all possible older infected files that may still be lurking on your system.
* Clean out your TEMP FILES
* This procedure should be run from SAFEMODE for better results.

To Enter SAFEMODE

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD

* Go to My Computer/ C: Drive/ Documents and Settings/ Local Settings/ Every User on this Computer
and delete all the contents of the Temp Folder

* Go to My Computer/ C:/ Windows/ Temp and delete all the contents of the Temp Folder

* Go to My Computer/ C:/ Windows/ Prefetch and remove all the contents of the Prefetch Folder.
But not the Prefetch folder itself.

NOW RE-BOOT NORMALLY


* Open INTERNET EXPLORER
* Click on the TOOLS MENU
* Then INTERNET OPTIONS
* At the GENERAL TAB (which should be the first tab you are currently on),
* click on the DELETE FILES BUTTON and put a checkmark in DELETE ALL OFFLINE CONTENT.
* Then press the OK BUTTON . This may take quite a while, so do not be alarmed with how long it takes.
* When it is done, your Temporary Internet Files will now be deleted.

Now Empty your Recycle Bin

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your
system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

* Right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

Reboot your System

Turn ON System Restore.

* Right-click My Computer.
* ClickProperties.
* Click the System Restore tab.
* UN-Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

* Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You can name the restore point anything you like, something that you can remember

* Make sure that your ANTI-VIRUS SOFTWARE is up to date and run a full scan at least once aweek.

* Here are Free Anti-Virus Programs if you need one

AVG Free Edition
AntVir Personal Edition


* Spybot Search and Destroy 1.4
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

* Ad-Aware SE Personal 1.06
Check for Updates and run a Full System Scan on a regular basis.

* Spyware Blaster It will prevent most spyware from ever being installed.

* Spyware Guard It offers realtime protection from spyware installation attempts.

* Win Patrol This program will warn you when any changes are being made to your system and
give you the option to deny the change.

* IE- Spyad IE-Spyad places over 4000 web sites and domains
in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed,
although you will still be able to connect to the sites.

* Firefox Browser
It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use
them both. When it asks you if you want it to be your default browser, say NO and take the checkmark out of the box to ask you again. After you use this
for awhile, you will want to make it your default.

* Thunderbird Mail There companion mail program was highly favored in PCWorld Magazine,
this has a good spam filter and is more secure than Outlook Express.

* Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't
access the internet without it.

* WINDOWS UPDATES - Enable Automatic Updates
Right click on MY COMPUTER/Click on PROPERTIES/ AUTOMATIC UPDATES and put a mark in the radio button
DOWNLOAD UPDATES FOR ME BUT LET ME CHOOSE WHEN TO INSTALL THEM.

* Go to START/ CONTROL PANEL> PERFROMANCE AND MAINTENANCE> REARRANGE ITEMS ON YOUR HARD DISK TO MAKE PROGRAMS RUN FASTER
This is the Windows Disk Defragger, run this maybe once or twice a month to keep your system running good. The first time you run it, it may take awhile.

I'm curious about Defender Pro, please post back and let me know if a scan took it or if you removed it. I am going to keep this thread open for a few days in case you have any other questions.

Ken

[a_dim_wit]

Defender pro is still on my computer. I found two versions. there was 1.1 ,which was the one i got off the disk i bought at the store, and then there was the one i got from the e-mail. I think i'll uninstall both of them.

[ken545]

a_dim_wit Have a nice Holiday. Ken

[ken545]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php