83 replies to this topic

[sdutcher]

That was the panda report, I am back in the Kapersky online scan now, still getting those pop up windows while online, but if i am running scans offline, they don't come up also, I found 3 user folders that were password protected, so i went into safe mode and changed the ownership of those and deleted any internet explorer temporary files.

[IndiGenus]

Can you post a fresh HJT log for review? Thanks, Dave

[sdutcher]

Logfile of HijackThis v1.99.1
Scan saved at 6:01:09 AM, on 3/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\TrueSwitchVerizonYahoo\TrueInstall.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Documents and Settings\Andrew Horsfall\Desktop\help files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~2\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~2\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Startup: TrueSwitch Wizard Verizon Yahoo.lnk = C:\Program Files\TrueSwitchVerizonYahoo\TrueInstall.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - http://update.micros...b?1165785661687
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,15/mcgdmgr.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} - https://netservices..../DSLControl.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...TrueInstall.exe
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

[sdutcher]

------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Saturday, March 24, 2007 11:55:57 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 24/03/2007 Kaspersky Anti-Virus database records: 285456 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 56645 Number of viruses found: 13 Number of infected objects: 151 / 0 Number of suspicious objects: 2 Duration of the scan process: 01:10:01 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0f089bd22bcf453ccf810126980056fe_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3905f0a0a26ca29aa4901d5c45e85501_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4ad2a42c17daf75b38f2e4a7d6d6e4a1_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\569dd682d9ab39adb7a62975b2256a79_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\684022895e042d95da3395278522a327_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\68b5a73dac7cc6e14f1e263f43a263fc_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7cd41c6f0419848b802e6ad96fea065d_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b7224bcd4e9c279dc8a90ccaf4b9e671_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f96db401122ef1904f57836808d8dd71_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/VXH8JKDQ6.EXE Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\Andrew Horsfall\Cookies\INDEX.DAT Object is locked skipped C:\Documents and Settings\Andrew Horsfall\DoctorWeb\Quarantine\f3PSSavr.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\History\History.IE5\MSHist012007032420070325\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Temp\3pdEYU.exe Infected: not-a-virus:AdWare.Win32.WinFetcher.d skipped C:\Documents and Settings\Andrew Horsfall\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\ntuser.dat Object is locked skipped C:\Documents and Settings\Andrew Horsfall\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Andrew Horsfall\UserData\index.dat Object is locked skipped C:\Documents and Settings\Becky\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Becky\Local Settings\Temp\WERC8.tmp.dir00\taskdir.exe.hdmp Object is locked skipped C:\Documents and Settings\Becky\Local Settings\Temp\WERC8.tmp.dir00\taskdir.exe.mdmp Object is locked skipped C:\Documents and Settings\Becky\ntuser.dat Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\av3B6.exe/data0006 Infected: not-a-virus:FraudTool.Win32.SpyDawn.a skipped C:\Documents and Settings\Jare'\Local Settings\Temp\av3B6.exe NSIS: infected - 1 skipped C:\Documents and Settings\Jare'\Local Settings\Temp\SystemDoctorFreeSetup.exe/Stream/data0005 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped C:\Documents and Settings\Jare'\Local Settings\Temp\SystemDoctorFreeSetup.exe/Stream Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped C:\Documents and Settings\Jare'\Local Settings\Temp\SystemDoctorFreeSetup.exe Inno: infected - 2 skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER1A.tmp Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER1A.tmp.dir00\appcompat.txt Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER1A.tmp.dir00\manifest.txt Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER1A.tmp.dir00\taskdir.exe.hdmp Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER1A.tmp.dir00\taskdir.exe.mdmp Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER271.tmp Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER334.tmp Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER368.tmp Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER368.tmp.dir00\appcompat.txt Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER368.tmp.dir00\manifest.txt Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER368.tmp.dir00\taskdir.exe.hdmp Object is locked skipped C:\Documents and Settings\Jare'\Local Settings\Temp\WER368.tmp.dir00\taskdir.exe.mdmp Object is locked skipped C:\Documents and Settings\Jare'\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\2 baby teacups.doc Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\alex youngg.jpg Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\alexs page.jpg Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\alexx 2.jpg Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\alexx.jpg Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\angel.jpg Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\Desktop.ini Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\dont matter.doc Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\Fave Songs.doc Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\henry.jpg Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\iTunes.lnk Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\pitty.jpg Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\poe.jpg Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\Rockstar.doc Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\soonsi.jpg Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\Thumbs.db Object is locked skipped C:\Documents and Settings\Skittlez45689\Desktop\Hannah's folder\titanic pics 1.doc Object is locked skipped C:\Program Files\Yahoo!\YPSR\Quarantine\20061118024722.zip Object is locked skipped C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp Object is locked skipped C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp Object is locked skipped C:\Program Files\Yahoo!\YPSR\Quarantine\ppqdb.dat Object is locked skipped C:\Program Files\Yahoo!\YPSR\Quarantine\ppqsdb.dat Object is locked skipped C:\RECYCLER\S-1-5-21-2587760716-676309004-189216933-1013\Dc1.doc Object is locked skipped C:\RECYCLER\S-1-5-21-2587760716-676309004-189216933-1013\Dc11.doc Object is locked skipped C:\RECYCLER\S-1-5-21-2587760716-676309004-189216933-1013\Dc2.jpg Object is locked skipped C:\RECYCLER\S-1-5-21-2587760716-676309004-189216933-1013\Dc4.jpg Object is locked skipped C:\RECYCLER\S-1-5-21-2587760716-676309004-189216933-1013\Dc5.jpg Object is locked skipped C:\RECYCLER\S-1-5-21-2587760716-676309004-189216933-1013\Dc6.jpg Object is locked skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP145\A0079603.exe Infected: not-a-virus:RiskTool.Win32.PsKill.a skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP145\A0079604.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP146\A0079634.exe Infected: Trojan.Win32.SecondThought.ae skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP146\A0079636.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP147\change.log Object is locked skipped C:\WINDOWS\BOOTSTAT.DAT:bzehr:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:bzehr:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:bzehr:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:bzehr:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:bzehr:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:bzehr:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\BOOTSTAT.DAT:yxqls:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:yxqls:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:yxqls:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:yxqls:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:yxqls:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\BOOTSTAT.DAT:yxqls:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\Debug\oakley.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Downloaded Program Files\WrapperOuter1153.EXE/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j skipped C:\WINDOWS\Downloaded Program Files\WrapperOuter1153.EXE WiseSFX: infected - 1 skipped C:\WINDOWS\Downloaded Program Files\WrapperOuter1153.EXE WiseSFX Dropper: infected - 1 skipped C:\WINDOWS\DtcInstall.log:lomjo:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\DtcInstall.log:lomjo:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\DtcInstall.log:lomjo:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\DtcInstall.log:lomjo:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\DtcInstall.log:lomjo:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\DtcInstall.log:lomjo:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\Greenstone.bmp:zcdso:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Greenstone.bmp:zcdso:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Greenstone.bmp:zcdso:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Greenstone.bmp:zcdso:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Greenstone.bmp:zcdso:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Greenstone.bmp:zcdso:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\ipld.dll:kicam:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ipld.dll:kicam:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ipld.dll:kicam:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ipld.dll:kicam:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ipld.dll:kicam:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ipld.dll:kicam:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\mfcwo.dll:ckaip:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mfcwo.dll:ckaip:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mfcwo.dll:ckaip:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mfcwo.dll:ckaip:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mfcwo.dll:ckaip:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mfcwo.dll:ckaip:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\mssys.com/HZZ.EXE Infected: Trojan-Dropper.DOS.Rute skipped C:\WINDOWS\mssys.com Mail: infected - 1 skipped C:\WINDOWS\mssys.com:grgej:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mssys.com:grgej:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mssys.com:grgej:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mssys.com:grgej:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mssys.com:grgej:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\mssys.com:grgej:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\nsreg.dat:ediqi:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\nsreg.dat:ediqi:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\nsreg.dat:ediqi:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\nsreg.dat:ediqi:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\nsreg.dat:ediqi:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\nsreg.dat:ediqi:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\OCGEN.LOG:njvsb:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\OCGEN.LOG:njvsb:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\OCGEN.LOG:njvsb:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\OCGEN.LOG:njvsb:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\OCGEN.LOG:njvsb:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\OCGEN.LOG:njvsb:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\ODBCINST.INI:nclih:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ODBCINST.INI:nclih:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ODBCINST.INI:nclih:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ODBCINST.INI:nclih:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ODBCINST.INI:nclih:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\ODBCINST.INI:nclih:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\orun32.isu:boylo:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:boylo:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:boylo:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:boylo:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:boylo:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:boylo:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\orun32.isu:ctlan:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:ctlan:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:ctlan:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:ctlan:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:ctlan:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\orun32.isu:ctlan:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\Q816981.log:nqrec:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816981.log:nqrec:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816981.log:nqrec:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816981.log:nqrec:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816981.log:nqrec:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816981.log:nqrec:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\Q816982.log:ledpp:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816982.log:ledpp:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816982.log:ledpp:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816982.log:ledpp:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816982.log:ledpp:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Q816982.log:ledpp:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\QUICKEN.INI:wsfeq:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\QUICKEN.INI:wsfeq:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\QUICKEN.INI:wsfeq:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\QUICKEN.INI:wsfeq:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\QUICKEN.INI:wsfeq:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\QUICKEN.INI:wsfeq:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SchedLgU.Txt:hcyde:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\SchedLgU.Txt:hcyde:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\SchedLgU.Txt:hcyde:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\SchedLgU.Txt:hcyde:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\SchedLgU.Txt:hcyde:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\SchedLgU.Txt:hcyde:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\Soap Bubbles.bmp:zpdva:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Soap Bubbles.bmp:zpdva:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Soap Bubbles.bmp:zpdva:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Soap Bubbles.bmp:zpdva:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Soap Bubbles.bmp:zpdva:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\Soap Bubbles.bmp:zpdva:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\Temp\setup4.exe/data0002 Infected: not-a-virus:AdWare.Win32.IEDriver.a skipped C:\WINDOWS\Temp\setup4.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.adz skipped C:\WINDOWS\Temp\setup4.exe NSIS: infected - 2 skipped C:\WINDOWS\VBADDIN.INI:tgcxo:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\VBADDIN.INI:tgcxo:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\VBADDIN.INI:tgcxo:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\VBADDIN.INI:tgcxo:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\VBADDIN.INI:tgcxo:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\VBADDIN.INI:tgcxo:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\WINDOWS\WINNT.BMP:jpjvp:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT.BMP:jpjvp:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT.BMP:jpjvp:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT.BMP:jpjvp:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT.BMP:jpjvp:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT.BMP:jpjvp:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\WINNT256.BMP:dpghv:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT256.BMP:dpghv:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT256.BMP:dpghv:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT256.BMP:dpghv:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT256.BMP:dpghv:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\WINNT256.BMP:dpghv:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\wintj32.dll:elopk:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\wintj32.dll:elopk:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\wintj32.dll:elopk:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\wintj32.dll:elopk:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\wintj32.dll:elopk:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\wintj32.dll:elopk:$DATA Embedded HTML: infected - 5 skipped C:\WINDOWS\_DEFAULT.PIF:geqgq:$DATA/data0001.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\_DEFAULT.PIF:geqgq:$DATA/data0002.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\_DEFAULT.PIF:geqgq:$DATA/data0003.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\_DEFAULT.PIF:geqgq:$DATA/data0004.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\_DEFAULT.PIF:geqgq:$DATA/data0005.html Infected: Trojan-Downloader.Win32.WinShow.ak skipped C:\WINDOWS\_DEFAULT.PIF:geqgq:$DATA Embedded HTML: infected - 5 skipped Scan process completed.

[IndiGenus]

How many user accounts are on this machine? Can you post a HJT log run from each account? The machine is better (much) than when we started but it appears you still have many issues to deal with. Thanks, Dave

[sdutcher]

Dave, I have to tell you, I am doing this for a friend that I work with, he just bought the system a few months ago, and it has been goofy since. I know there was the original owner's identity, then my friend has put on a bunch of user accounts... for him, his wife, and the daughter had a couple... so how do I get a HJT log for each user? Log into each user account, then run HJT? I appreciate your help, and I do see things running better, but still getting the adware.coolwebsearch coming up in AVG scans, which it cannot delete, even upon reboot, nor can it quarantine. once i run scans offline, things are good until i put the computer back online, then i think the trojan or virus goes out and does it's thing, and brings back a bunch of stuff. I'll try to get into the different accounts tonight and post hjt logs...

[IndiGenus]

OK, yes that is how to produce the logs. Before we go and do that let's throw another tool at this thing.

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

[sdutcher]

Start Time= Mon 03/26/2007 17:28:08.07 QuickScan did not find any signs of infected files (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-03-17 17:28:28 ( .D... ) "C:\Documents and Settings\Andrew Horsfall\Application Data\AVG7" 2007-03-16 06:26:22 ( .D... ) "C:\Program Files\Grisoft" 2007-03-13 21:35:30 ( .D... ) "C:\Program Files\Lavasoft" 2007-03-13 21:25:02 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard" 2007-03-13 21:23:32 ( .D... ) "C:\Program Files\Spybot - Search & Destroy" 2007-03-13 20:57:20 ( .D... ) "C:\Documents and Settings\Andrew Horsfall\Application Data\PC Tools" 2007-03-12 08:33:12 55 ( A.... ) "C:\WINDOWS\SYSTEM32\pfxzmtymsg.dll" 2007-03-12 08:33:12 55 ( A.... ) "C:\WINDOWS\SYSTEM32\pfxzmtwbmail.dll" 2007-03-12 08:33:12 55 ( A.... ) "C:\WINDOWS\SYSTEM32\pfxzmticq.dll" 2007-03-12 08:33:12 55 ( A.... ) "C:\WINDOWS\SYSTEM32\pfxzmtgtal.dll" 2007-03-12 08:33:12 55 ( A.... ) "C:\WINDOWS\SYSTEM32\pfxzmtforum.dll" 2007-03-12 08:33:12 55 ( A.... ) "C:\WINDOWS\SYSTEM32\pfxzmtaim.dll" 2007-03-10 15:48:10 ( .D... ) "C:\Program Files\Spyware Doctor" 2007-03-10 14:37:40 26112 ( A.... ) "C:\WINDOWS\SYSTEM32\vxddsk.exe" 2007-03-10 14:37:40 9728 ( A.... ) "C:\WINDOWS\vxddsk.exe" 2007-03-10 14:37:38 31488 ( A.... ) "C:\WINDOWS\SYSTEM32\wml.exe" 2007-03-10 14:37:36 21760 ( A.... ) "C:\WINDOWS\SUSP.exe" 2007-03-10 14:37:36 12800 ( A.... ) "C:\WINDOWS\wml.exe" 2007-03-10 14:37:34 11008 ( A.... ) "C:\WINDOWS\satmat.exe" 2007-03-10 14:37:28 27392 ( A.... ) "C:\WINDOWS\7search.dll" 2007-03-10 14:37:26 28672 ( A.... ) "C:\WINDOWS\764.exe" 2007-03-10 14:37:26 12800 ( A.... ) "C:\WINDOWS\flt.dll" 2007-03-10 14:37:24 29696 ( A.... ) "C:\WINDOWS\voiceip.dll" 2007-03-10 14:37:24 19456 ( A.... ) "C:\WINDOWS\pbar.dll" 2007-03-10 14:37:24 17920 ( A.... ) "C:\WINDOWS\stcloader.exe" 2007-03-10 14:37:20 30464 ( A.... ) "C:\WINDOWS\cdsm32.dll" 2007-03-10 14:37:20 14336 ( A.... ) "C:\WINDOWS\swin32.dll" 2007-03-10 14:37:18 30208 ( A.... ) "C:\WINDOWS\bokja.exe" 2007-03-10 14:37:14 28928 ( A.... ) "C:\WINDOWS\mspphe.dll" 2007-03-10 14:37:14 10752 ( A.... ) "C:\WINDOWS\mssvr.exe" 2007-03-10 14:37:12 25856 ( A.... ) "C:\WINDOWS\bjam.dll" 2007-03-10 14:37:08 29440 ( A.... ) "C:\WINDOWS\SYSTEM32\MSIXU.DLL" 2007-03-10 14:37:06 23808 ( A.... ) "C:\WINDOWS\180ax.exe" 2007-03-10 14:37:06 9216 ( A.... ) "C:\WINDOWS\SYSTEM32\WER8274.DLL" 2007-03-10 14:37:04 31232 ( A.... ) "C:\WINDOWS\updatetc.exe" 2007-03-10 14:37:04 19968 ( A.... ) "C:\WINDOWS\salm.exe" 2007-03-10 14:36:56 9472 ( A.... ) "C:\WINDOWS\saiemod.dll" 2007-03-10 14:33:48 8704 ( A.... ) "C:\WINDOWS\SYSTEM32\sporder.dll" 2007-03-10 08:32:20 ( .D... ) "C:\Program Files\Webroot" 2007-03-10 08:28:36 ( .D... ) "C:\Documents and Settings\Andrew Horsfall\Application Data\Webroot" 2007-03-10 08:01:48 ( .D... ) "C:\Program Files\SpyAway" 2007-01-28 15:18:08 ( .D... ) "C:\Program Files\ABBYY FineReader 6.0" 2007-01-28 15:18:08 ( .D... ) "C:\Program Files\ABBYY FineReader 5.0 Sprint" 2007-01-28 15:10:52 ( .D... ) "C:\Program Files\Lexmark 1200 Series" 2007-01-15 08:31:58 23808 ( A.... ) "C:\WINDOWS\SYSTEM32\winmuse.exe" 2007-01-15 08:31:58 8960 ( A.... ) "C:\WINDOWS\SYSTEM32\msmsn.exe" 2007-01-15 08:31:56 29184 ( A.... ) "C:\WINDOWS\SYSTEM32\POPCORN72.EXE" 2007-01-15 08:31:56 23040 ( A.... ) "C:\WINDOWS\SYSTEM32\kernels64.exe" 2007-01-15 08:31:56 12032 ( A.... ) "C:\WINDOWS\SYSTEM32\netstat2.exe" 2007-01-15 08:31:56 9472 ( A.... ) "C:\WINDOWS\SYSTEM32\anti_troj.exe" 2007-01-15 08:31:56 8960 ( A.... ) "C:\WINDOWS\SYSTEM32\perfont.exe" 2007-01-15 08:31:54 32256 ( A.... ) "C:\WINDOWS\SYSTEM32\mpsegment.exe" 2007-01-15 08:31:54 16128 ( A.... ) "C:\WINDOWS\SYSTEM32\proqlaim.exe" 2007-01-15 08:31:50 24576 ( A.... ) "C:\WINDOWS\SYSTEM32\iewd.exe" 2007-01-15 08:31:48 22272 ( A.... ) "C:\WINDOWS\SYSTEM32\dload.exe" 2007-01-15 08:31:48 13568 ( A.... ) "C:\WINDOWS\SYSTEM32\win32hp.dll" 2007-01-15 08:31:34 18176 ( A.... ) "C:\WINDOWS\spp3.dll" 2007-01-15 08:31:12 32512 ( A.... ) "C:\WINDOWS\wininet32.exe" 2007-01-15 08:31:10 26880 ( A.... ) "C:\WINDOWS\runwin32.exe" 2007-01-15 08:31:08 26368 ( A.... ) "C:\WINDOWS\y.exe" 2007-01-15 08:31:08 16128 ( A.... ) "C:\WINDOWS\dialup.exe" 2007-01-15 08:31:06 13568 ( A.... ) "C:\WINDOWS\xplugin.dll" 2007-01-15 08:31:04 25088 ( A.... ) "C:\WINDOWS\x.exe" 2007-01-15 08:31:04 20992 ( A.... ) "C:\WINDOWS\window.exe" 2007-01-15 08:31:04 16640 ( A.... ) "C:\WINDOWS\winmgnt.exe" 2007-01-15 08:31:04 13824 ( A.... ) "C:\WINDOWS\winajbm.dll" 2007-01-15 08:31:02 27392 ( A.... ) "C:\WINDOWS\time.exe" 2007-01-15 08:31:02 23808 ( A.... ) "C:\WINDOWS\win64.exe" 2007-01-15 08:31:02 19456 ( A.... ) "C:\WINDOWS\waol.exe" 2007-01-15 08:31:02 19200 ( A.... ) "C:\WINDOWS\users32.exe" 2007-01-15 08:31:02 14336 ( A.... ) "C:\WINDOWS\win32e.exe" 2007-01-15 08:31:00 26112 ( A.... ) "C:\WINDOWS\olehelp.exe" 2007-01-15 08:31:00 14848 ( A.... ) "C:\WINDOWS\systemcritical.exe" 2007-01-15 08:31:00 9728 ( A.... ) "C:\WINDOWS\systeem.exe" 2007-01-15 08:30:58 13056 ( A.... ) "C:\WINDOWS\clrssn.exe" 2007-01-15 08:30:58 11520 ( A.... ) "C:\WINDOWS\cpan.dll" 2007-01-15 08:30:56 15872 ( A.... ) "C:\WINDOWS\accesss.exe" 2007-01-15 08:30:54 24576 ( A.... ) "C:\WINDOWS\SYSTEM32\ace16win.dll" 2007-01-15 08:30:54 11264 ( A.... ) "C:\WINDOWS\inetdctr.dll" 2006-12-31 20:01:32 14848 ( A.... ) "C:\WINDOWS\SYSTEM32\protector(2).exe" 2006-12-31 19:32:48 18944 ( A.... ) "C:\WINDOWS\SYSTEM32\ntio256.sys" 2006-12-31 19:32:48 14848 ( A.... ) "C:\WINDOWS\SYSTEM32\protector.exe" 2006-12-31 18:34:26 12800 ( A.... ) "C:\WINDOWS\SYSTEM32\svchost.exe" ((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "Verizon Internet Security Suite"="\"C:\\Program Files\\Verizon\\Verizon Internet Security Suite\\Rps.exe\"" "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~2\\HELPSU~1\\SMARTB~1\\MotiveSB.exe" "A Verizon App"="C:\\PROGRA~1\\VERIZO~2\\HELPSU~1\\VERIZO~1.EXE" "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\"" "Lexmark 1200 Series"="\"C:\\Program Files\\Lexmark 1200 Series\\lxczbmgr.exe\"" "!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "Aim6"="\"C:\\Program Files\\AIM6\\aim6.exe\" /d locale=en-US ee://aol/imApp" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=dword:00000000 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q" "adirka"="C:\\WINDOWS\\System32\\adirka.exe" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE" [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q" "adirka"="C:\\WINDOWS\\System32\\adirka.exe" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 "CDRAutoRun"=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk" "backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE " "item"="Adobe Reader Speed Launch" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk] "path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk" "backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup" "location"="Common Startup" "command"="C:\\PROGRA~1\\MICROS~3\\Office10\\OSA.EXE -b -l" "item"="Microsoft Office" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="DirectCD" "hkey"="HKLM" "command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="iTunesHelper" "hkey"="HKLM" "command"="C:\\Program Files\\iTunes\\iTunesHelper.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RebateNation0] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="RebateNation0" "hkey"="HKLM" "command"="\"C:\\Program Files\\Rebate_Nation\\RebateNation0.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBundleOuterDL] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="BundleOuter" "hkey"="HKLM" "command"="C:\\Program Files\\VBouncer\\BundleOuter.EXE" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="VerizonServicepoint" "hkey"="HKLM" "command"="C:\\Program Files\\Verizon\\Servicepoint\\VerizonServicepoint.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="cdaEngine0400" "hkey"="HKLM" "command"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ybrwicon" "hkey"="HKLM" "command"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="yop" "hkey"="HKLM" "command"="C:\\PROGRA~1\\Yahoo!\\YOP\\yop.exe /autostart" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YPC] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="ypc" "hkey"="HKLM" "command"="C:\\PROGRA~1\\Yahoo!\\PARENT~1\\ypc.exe" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "WebClient"=dword:00000002 "w32time"=dword:00000002 "TapiSrv"=dword:00000003 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\Ad-Aware SE Personal.job C:\WINDOWS\tasks\Spybot - Search & Destroy.job C:\WINDOWS\tasks\wrSpySweeperTrialSweep.job Completion time: Mon 03/26/2007 17:29:08.57 ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

[sdutcher]

Logfile of HijackThis v1.99.1
Scan saved at 5:31:18 PM, on 3/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\TrueSwitchVerizonYahoo\TrueInstall.exe
C:\Documents and Settings\Andrew Horsfall\Desktop\help files\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~2\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~2\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Startup: TrueSwitch Wizard Verizon Yahoo.lnk = C:\Program Files\TrueSwitchVerizonYahoo\TrueInstall.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - http://update.micros...b?1165785661687
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,15/mcgdmgr.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} - https://netservices..../DSLControl.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...TrueInstall.exe
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

[sdutcher]

I tried to log into the different user accounts, but I don't have the passwords,, can I just delete all of those accounts? if so, how do i go about that?

[IndiGenus]

This is one seriously infected machine. I honestly can't guarantee that we will be completely clean when we're done here but I will give it my best shot. This is what we recommend next here.

1.Click Start > Settings > Control Panel.
2.Next, open Add or Remove Programs and remove if listed:
SpyAway


Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"adirka"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"adirka"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RebateNation0]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBundleOuterDL]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

Save this as fix2.reg Choose to save as *all files and place it on your desktop.
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.



Download Pocket Killbox
http://www.atribune....ads/KillBox.exe
If you already have Killbox first ensure it is this version !.

Then double-click on the killbox.exe program.


Start Killbox and click on Tools->Delete Temp Files.
Then select the option labeled Delete on reboot.

Do not close killbox, and open notepad, by clicking on Start, then Run, and typing notepad.exe and pressing the OK button.


When notepad is open, copy and paste the following bolded text into the notepad screen. You do this by highlighting each of the below bolded filenames and then pressing Control-C on your keyboard. Then click on the open notepad windows and press Control-V to paste the contents into the notepad.

C:\WINDOWS\SYSTEM32\pfxzmtymsg.dll
C:\WINDOWS\SYSTEM32\pfxzmtwbmail.dll
C:\WINDOWS\SYSTEM32\pfxzmticq.dll
C:\WINDOWS\SYSTEM32\pfxzmtgtal.dll
C:\WINDOWS\SYSTEM32\pfxzmtforum.dll
C:\WINDOWS\SYSTEM32\pfxzmtaim.dll
C:\WINDOWS\SYSTEM32\vxddsk.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\SYSTEM32\wml.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\764.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\stcloader.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\SYSTEM32\MSIXU.DLL
C:\WINDOWS\180ax.exe
C:\WINDOWS\SYSTEM32\WER8274.DLL
C:\WINDOWS\updatetc.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\SYSTEM32\winmuse.exe
C:\WINDOWS\SYSTEM32\msmsn.exe
C:\WINDOWS\SYSTEM32\POPCORN72.EXE
C:\WINDOWS\SYSTEM32\kernels64.exe
C:\WINDOWS\SYSTEM32\netstat2.exe
C:\WINDOWS\SYSTEM32\anti_troj.exe
C:\WINDOWS\SYSTEM32\perfont.exe
C:\WINDOWS\SYSTEM32\mpsegment.exe
C:\WINDOWS\SYSTEM32\proqlaim.exe
C:\WINDOWS\SYSTEM32\iewd.exe
C:\WINDOWS\SYSTEM32\dload.exe
C:\WINDOWS\SYSTEM32\win32hp.dll
C:\WINDOWS\spp3.dll
C:\WINDOWS\wininet32.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\y.exe
C:\WINDOWS\dialup.exe
C:\WINDOWS\xplugin.dll
C:\WINDOWS\x.exe
C:\WINDOWS\window.exe
C:\WINDOWS\winmgnt.exe
C:\WINDOWS\winajbm.dll
C:\WINDOWS\time.exe
C:\WINDOWS\win64.exe
C:\WINDOWS\waol.exe
C:\WINDOWS\users32.exe
C:\WINDOWS\win32e.exe
C:\WINDOWS\olehelp.exe
C:\WINDOWS\systemcritical.exe
C:\WINDOWS\systeem.exe
C:\WINDOWS\clrssn.exe
C:\WINDOWS\cpan.dll
C:\WINDOWS\accesss.exe
C:\WINDOWS\SYSTEM32\ace16win.dll
C:\WINDOWS\inetdctr.dll
C:\WINDOWS\SYSTEM32\protector(2).exe
C:\WINDOWS\SYSTEM32\ntio256.sys
C:\WINDOWS\SYSTEM32\protector.exe


Return to Killbox, go to the File menu and select Paste from Clipboard.


Still in Killbox, click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click No at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually

"copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

[sdutcher]

did not find any spyaway, and the reg merge didn't take,, i did the killbox procedure, but it rebooted before i could save the logfile.. i'm up on another computer now, will be back on in a few what do you know about "search assistant" and this csrss.exe file that seems to be bringing up the popup windows??

[sdutcher]

Logfile of HijackThis v1.99.1
Scan saved at 10:43:27 PM, on 3/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Andrew Horsfall\Desktop\help files\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~2\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~2\HELPSU~1\VERIZO~1.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: TrueSwitch Wizard Verizon Yahoo.lnk = C:\Program Files\TrueSwitchVerizonYahoo\TrueInstall.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - http://update.micros...b?1165785661687
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,15/mcgdmgr.cab
O16 - DPF: {BCD5A227-8720-497B-AF5F-4403E94342E3} - https://netservices..../DSLControl.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...TrueInstall.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE




Still getting popups.. even tried a few other cws killers...

[IndiGenus]

Please run the combofix tool again I had you run earlier and post a new log from it. Dave

[sdutcher]

I plan on running home on lunch and seeing what the result of another panda active scan are, and I will post that along with combofix reports (i left panda scan running when i went to work) the computer seems to be running better, especially if i am doing offline scans i did manually delete the registry keys that avg spyware found associated with coolwebsearch, and they didn't show up on new scans. until i went online this morning, i had avg antispyware, avg antivirus, spybot, and adaware with all clean scans. so i went online do to a panda scan, and before i left the house it had found 4 or 5 items, (not viruses) thanks again for your assistance, do you think we are gaining?