hi cesarper,
that message from norton is about a file in your system restore points. dont worry about it we will clean that as a last step. just dont do a sytem restore. superantispyware found alot of goodies. please rerun it for a second pass.
shelf life
How Can I Reduce My Risk?
2nd Super Antispyware Log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/22/2007 at 02:22 AM
Application Version : 3.9.1008
Core Rules Database Version : 3328
Trace Rules Database Version: 1329
Scan type : Complete Scan
Total Scan Time : 02:59:38
Memory items scanned : 490
Memory threats detected : 0
Registry items scanned : 7131
Registry threats detected : 6
File items scanned : 116270
File threats detected : 5
Trojan.Downloader-Smith/MS
HKLM\Software\Classes\CLSID\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}
HKCR\CLSID\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}
HKCR\CLSID\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}
HKCR\CLSID\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}\InprocServer32
HKCR\CLSID\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GE.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}
Adware.Tracking Cookie
C:\Documents and Settings\Cesar\Cookies\cesar@overture[1].txt
C:\Documents and Settings\Cesar\Cookies\cesar@questionmarket[1].txt
C:\Documents and Settings\Cesar\Cookies\cesar@msnportal.112.2o7[1].txt
C:\Documents and Settings\Cesar\Cookies\cesar@ads.espn.adsonar[1].txt
hi cesarper,
start hjt, click on "open misc tools section"
then "delete a file on reboot"
in the file name window copy/paste this:
C:\WINDOWS\SYSTEM32\GE.DLL
click the open button and at the prompt to reboot select yes to reboot computer.
-----------------------------
next:
Copy and paste this text in bold into notepad. (start>programs>accessories>notepad.)
REGEDIT4
[-HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF3446E8-FC32-4E55-9C56-0B8DA015FC10}]
Save it as: as Fix.reg Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
find the reg file on your desktop, doubleclick it and select yes to merge it into the registry.
hows it looking on your end now?
shelf life
How Can I Reduce My Risk?
Ok, did everything as you told me, no problems.
Observations:1) Prior to doing the fix.reg part, I was having issues with notepad. Everytime I tried to save as or open a file, I would get an error message after about 5 seconds telling me that notepad had a problem, do I want to send an error report to Microsoft. Clicking on any of the actions would close notepad without allowing me to save or open a file. After doing the fix.reg part, the error message flashes for a split second and it shuts down notepad automatically without input from me.
2) Prior to doing the fix.reg portion, Symantec kept notifying me about the following:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\WINDOWS\SYSTEM32\fafbafcfeffcc.dll
Location: C:\WINDOWS\SYSTEM32
Computer: MAINDESKTOP
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Monday, October 22, 2007 7:07:17 PMAfter the fix.reg, it notifies me about the above and the one below:Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\WINDOWS\system32\39cc32cbcc91896677c55831a8bb222b.TMP
Location: Quarantine
Computer: MAINDESKTOP
User: SYSTEM
Action taken: Clean failed : Quarantine successful : Access denied
Date found: Monday, October 22, 2007 7:07:17 PM
3)Microsoft Defender has been finding the following 3 items throughout all this:
Adware:Win32/Adbreak Alert Level = Medium
- file:C:\WINDOWS\settn.dll
- file:C:\WINDOWS\liqui.dll
- file:C:\WINDOWS\liqad.dll
- file:C:\WINDOWS\kvnab.dll
- file:C:\WINDOWS\kkcomp.dll
- file:C:\WINDOWS\xadbrk.dll
Spyware:Win32/CnsMin Alert Level = High
- regkey:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}
- bho:HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{bb936323-19fa-4521-ba29-eca6a121bc78}
- file:C:\Program Files\3721\assist\asbar.dll
- file:C:\Program Files\3721\helper.dll
- folder:C:\Program Files\3721\assist\
- folder:C:\Program Files\3721\
Adware:Win32/INetSpeakWebsearch Alert Level = High
- file:C:\WINDOWS\iexplorr23.dll
I haven't taken any action on these items. Beyond this, there is a window that pops up once in a while with what I believe to be an error message. I don't know for sure since it only pops up for about a split second before disappearing.
However, as mentioned in a previous post, the computer is behaving much better than it had previously. I don't have that annoying "You have spyware" wallpaper, and I don't get redirected to their website to purchase their product, nor do I get the fake alert bubble from the task bar anymore. Also, now I have access to the task manager.
Awaiting further instruction, oh spyware master.
In addition to the above
I have also noticed that it tries to close Symantec when it is open. I've discovered that if I just move the error message popup rather than selecting something, I could continue to work in whichever program I am trying to work. It used to do it in HJT and IE also.
Another Symantec Notification
Here's a new one:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader.MisleadApp
File: C:\WINDOWS\system32\qiawpbjj.exe
Location: Quarantine
Computer: MAINDESKTOP
User: Cesar
Action taken: Quarantine succeeded : Access denied
Date found: Monday, October 22, 2007 10:56:48 PM
hi cesarper,
delete your copy of vundofix and get a new one and run it:
download and run vundofix.exe:
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
-----------------------------
also run sdfix, needs to be run in safe mode:
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/R...ools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
* Finally paste the contents of the Report.txt back on the forum with a new HijackThis log and the vundo log also
shelf life
How Can I Reduce My Risk?
Vundo and SDFix
Vundo found nothing, so there is no log available.
SDFix: Version 1.111
Run by Cesar on Tue 10/23/2007 at 08:00 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
No Trojan Files Found
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Starcraft\\StarCraft.exe"="C:\\Program Files\\Starcraft\\StarCraft.exe:*:Enabled:Starcraft"
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:AT&T Yahoo! Music Jukebox"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Windows Explorer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
Files with Hidden Attributes:
Sat 7 Apr 2007 5,355,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sun 2 Mar 2003 37,888 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc10.tmp"
Sun 2 Mar 2003 30,208 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc11.tmp"
Sun 2 Mar 2003 30,208 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc12.tmp"
Sun 2 Mar 2003 29,696 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc13.tmp"
Sun 2 Mar 2003 31,232 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc14.tmp"
Fri 19 Dec 2003 34,816 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc144.tmp"
Sun 2 Mar 2003 33,280 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc15.tmp"
Fri 19 Dec 2003 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc158.tmp"
Mon 17 Nov 2003 35,328 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc159.tmp"
Sun 2 Mar 2003 25,088 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc16.tmp"
Wed 1 Dec 2004 30,720 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc160.tmp"
Fri 19 Dec 2003 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc161.tmp"
Fri 19 Dec 2003 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc162.tmp"
Tue 13 Jan 2004 117,248 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc163.tmp"
Fri 19 Dec 2003 36,352 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc164.tmp"
Fri 19 Dec 2003 35,328 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc165.tmp"
Sun 2 Mar 2003 26,624 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc17.tmp"
Sun 2 Mar 2003 34,816 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc18.tmp"
Sun 2 Mar 2003 31,232 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc20.tmp"
Sun 2 Mar 2003 27,136 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc3.tmp"
Sun 2 Mar 2003 33,792 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc4.tmp"
Sun 2 Mar 2003 31,744 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc5.tmp"
Sun 2 Mar 2003 26,624 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc6.tmp"
Sun 2 Mar 2003 28,672 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc7.tmp"
Sun 2 Mar 2003 34,816 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc8.tmp"
Sun 2 Mar 2003 32,768 A..H. --- "C:\RECYCLER\S-1-5-21-3402799377-3563514748-4210259494-1007\Dc9.tmp"
Sun 1 Dec 2002 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 23 Dec 2002 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak"
Sun 3 Oct 2004 400 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.bla.bak"
Sun 3 Oct 2004 48 ..SH. --- "C:\Documents and Settings\All Users\DRM\v2ks.sec.bak"
Sun 3 Oct 2004 400 A.SH. --- "C:\Documents and Settings\All Users\DRM\v3ks.bla.bak"
Sun 25 Jul 2004 1,871 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti3.tmp"
Sat 27 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 18 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\cf7ced0e70c80a1e476f1abf49afecb1\BIT7.tmp"
Sun 7 Dec 2003 152,576 ...H. --- "C:\Documents and Settings\Ale\Application Data\Microsoft\Word\~WRL3064.tmp"
Wed 20 Apr 2005 59,392 A..H. --- "C:\Documents and Settings\Ale\My Documents\Old Classes\Knes 385\~WRL0444.tmp"
Wed 20 Apr 2005 69,632 A..H. --- "C:\Documents and Settings\Ale\My Documents\Old Classes\Knes 385\~WRL0879.tmp"
Tue 4 Feb 2003 35,840 ...H. --- "C:\Documents and Settings\Cesar\Application Data\Microsoft\Word\~WRL0005.tmp"
Fri 15 Apr 2005 37,376 ...H. --- "C:\Documents and Settings\Cesar\My Documents\Job Search\Resumes & Cover Letters\~WRL3344.tmp"
Mon 16 Sep 2002 9,270 A..H. --- "C:\Documents and Settings\Cesar\Application Data\Microsoft\Office\Shortcut Bar\Acc238h.tmp"
Mon 16 Sep 2002 9,270 A..H. --- "C:\Documents and Settings\Cesar\Application Data\Microsoft\Office\Shortcut Bar\Acc238s.tmp"
Tue 22 Feb 2005 9,718 A..H. --- "C:\Documents and Settings\Cesar\Application Data\Microsoft\Office\Shortcut Bar\Off153.tmp"
Fri 10 Jan 2003 8,246 A..H. --- "C:\Documents and Settings\Cesar\Application Data\Microsoft\Office\Shortcut Bar\Off153h.tmp"
Fri 10 Jan 2003 8,246 A..H. --- "C:\Documents and Settings\Cesar\Application Data\Microsoft\Office\Shortcut Bar\Off153s.tmp"
Mon 16 Sep 2002 8,246 A..H. --- "C:\Documents and Settings\Cesar\Application Data\Microsoft\Office\Shortcut Bar\Pro237h.tmp"
Mon 16 Sep 2002 8,246 A..H. --- "C:\Documents and Settings\Cesar\Application Data\Microsoft\Office\Shortcut Bar\Pro237s.tmp"
Wed 30 Mar 2005 749,056 A..H. --- "C:\Documents and Settings\Cesar\My Documents\Old Classes\Spring 2005\PPD 360\~WRL3489.tmp"
Wed 30 Mar 2005 750,080 A..H. --- "C:\Documents and Settings\Cesar\My Documents\Old Classes\Spring 2005\PPD 360\~WRL3648.tmp"
Sun 17 Oct 2004 37,888 A..H. --- "C:\Documents and Settings\Cesar\My Documents\Old Classes\Fall 2004\PPD 227\710 Project\Working Drafts\~WRL0534.tmp"
Sat 16 Oct 2004 37,376 A..H. --- "C:\Documents and Settings\Cesar\My Documents\Old Classes\Fall 2004\PPD 227\710 Project\Working Drafts\~WRL1420.tmp"
Sat 16 Oct 2004 35,328 A..H. --- "C:\Documents and Settings\Cesar\My Documents\Old Classes\Fall 2004\PPD 227\710 Project\Working Drafts\~WRL1827.tmp"
Fri 15 Oct 2004 33,792 A..H. --- "C:\Documents and Settings\Cesar\My Documents\Old Classes\Fall 2004\PPD 227\710 Project\Working Drafts\~WRL2646.tmp"
Sat 16 Oct 2004 36,864 A..H. --- "C:\Documents and Settings\Cesar\My Documents\Old Classes\Fall 2004\PPD 227\710 Project\Working Drafts\~WRL4066.tmp"
Finished!
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:07 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmona.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\AntiVirusPro\AntiVirusPro.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {5088CF98-BCFF-4227-B043-91865F05F5BF} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\PROGRA~1\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {9A4ED3D2-5CB0-9907-0EB8-EABBE62AB3BA} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AntiVirusPro] C:\Program Files\AntiVirusPro\AntiVirusPro.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SSK Service] C:\Documents and Settings\Ale\Desktop\UNKNOWN_PARAMETER_VALUE\details.pif
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Search -
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/u...lorer1_8us.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/s...SYSSCANNER.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125464059207
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames...e.cab55579.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} -
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/game...ploader_v6.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab?
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/sbc/TrueInstallSBC.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = usc.edu,hsc.usc.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = usc.edu,hsc.usc.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = usc.edu,hsc.usc.edu
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: fafbafcfeffcc - C:\WINDOWS\system32\fafbafcfeffcc.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 11469 bytes
New Thing
After running SDFix in Safe Mode, and it rebooted and finished whatever it needed to finish. Then, when my profile loaded, a new program popped up. This program is called "Anti Virus Pro." It automatically started "scanning" my computer and now it wants me to purchase the program to clean out the infected files it found. Also, a bubble pops up from the task bar telling me that my computer is running slow and I should remove the infected files. It pops up from an icon in the shape of a red triangle with black exclamation point. It goes away on its own after about 10 seconds. Clicking on the bubble takes me to a website to purchase the "Anti Virus Pro" program.
Posting Permissions
