PDA

View Full Version : Trouble with popup ads



Ssnap
2007-02-11, 05:45
Four days ago I have started getting pop up ads and don't know how I got them or how to get rid of them. I have ran a virus scan, nothing found, ran spybot search & destroy, ad-aware and a few others. Spybot finds tracking cookies and I delete them but I just keep getting them. I read a few post and have downloaded some of the programs suggested but I need to know what to do first. I did run the AVG Anti-spyware in safe mode and kept a report.

Thanks

Angelfire777
2007-02-11, 13:13
Hi welcome to Safer Networking forums!

Please follow the preliminary instructions here: http://forums.spybot.info/showthread.php?t=288

I want you to please rename HijackThis to any name you want then scan with it, then post a HijackThis log and the AVG antispyware log you saved.

Ssnap
2007-02-11, 20:08
I ran the online virus scan also ran the spybot in safe mode as the link you posted advised. Here is the report from online virus scan.


Incident Status Location

Adware:adware/navipromo Not disinfected c:\windows\system32\jhdzwsitif_navps.dat
Adware:Adware/NaviPromo Not disinfected C:\WINDOWS\SYSTEM32\jhdzwsitif.exe
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mine\Cookies\mine@doubleclick[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Mine\Cookies\mine@azjmp[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mine\Cookies\mine@drivecleaner[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mine\Cookies\mine@www.drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mine\Cookies\mine@stats.drivecleaner[2].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Mine\Cookies\mine@www.myaffiliateprogram[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Mine\Cookies\mine@go[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Mine\Cookies\mine@winantivirus[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mine\Cookies\mine@atwola[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Mine\Cookies\mine@mediaplex[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Mine\Cookies\mine@adopt.hbmediapro[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Mine\Cookies\mine@ad.yieldmanager[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mine\Cookies\mine@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mine\Cookies\mine@atdmt[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mine\Cookies\mine@tribalfusion[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mine\Cookies\mine@www.errorsafe[1].txt
Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\Mine\Cookies\mine@errorsafe[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Mine\Cookies\mine@stats1.reliablestats[2].txt
The hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 11:59:00 AM, on 2/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\hijackthis\searching.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142632548796
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

The AVG antispyware log
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:04:38 PM 2/10/2007

+ Scan result:



C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\Documents and Settings\Mine\Cookies\mine@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Mine\Cookies\mine@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.


::Report end

Angelfire777
2007-02-12, 14:54
Hi, you got a nasty there..

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
______________________________

*Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE (http://metallica.geekstogo.com/EGDACCESS.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover.
Save it in the same folder you made earlier (c:\BFU).

Copy the part in bold below into notepad and save it as aftermath.bfu
Save it in the same folder you made earlier (c:\BFU) and set Filetype to "All files"

RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\jhdzwsitif
RegDelValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run|jhdzwsitif
FileDelete %SYSDIR%\jhdzwsitif_navps.dat
FileDelete %SYSDIR%\jhdzwsitif_nav.dat
FileDelete %SYSDIR%\jhdzwsitif.dat
FileDelete %SYSDIR%\jhdzwsitif.exe
FileDelete %SYSDIR%\jhdzwsitif_m2s.xml
FileDelete %WINDIR%\jhdzwsitif.exe-*.pf


Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select EGDACCESS.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png again and this time select aftermath.bfu
Press Execute and let it do it’s job.
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot.

______________________________

1.) Create a folder in the root of your C: drive and name it Blacklight.
A brief explanation of how to do this can be found HERE. (http://russelltexas.com/malware/createhjtfolder.htm)

2.) Download F-Secure's BlackLight from HERE (https://www.europe.f-secure.com/blacklight/try.shtml) and save it into the folder you just created.

3.) Log off from the internet and disconnect your modem cable.

4.) Go to Start > Run, copy and paste the following into the Text Box and hit OK:
"C:\Blacklight\blbeta.exe" /expert

The F-Secure Blacklight Beta window should open. Accept the agreement and click OK.
Click the Scan button to begin.
Leave the PC idle while the scan takes place.
When it has completed, click the Close button.
A text file, fsbl-date/time, will be saved in the Blacklight folder, copy and paste this into your next post.

On your next reply, please post a fresh HijackThis log and the blacklight scan log and a description on how your machine is running.

Ssnap
2007-02-12, 21:42
I have surfed the web for about an hour and only had one pop up, which is a large improvement. Also, this one pop up seems to be related to a certain website but I have pop ups blocked so not sure why it pops up. So far the amaena and the different gad-network.com ones and the many others haven't poppped up. Hope it stays that way its frustrating when you use spyware, ad-aware and virus scanners and still end up with unwanted junk on your computer!. I am not sure if you have other steps for me to take but thank you for the help you have provided and the great directions you provided. Your instructions were so well written and easy to follow that so far I haven't had any trouble running the programs you suggested. Thanks

The blacklight log

02/12/07 11:27:47 [Info]: BlackLight Engine 1.0.55 initialized
02/12/07 11:27:47 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/12/07 11:27:47 [Note]: 7019 4
02/12/07 11:27:47 [Note]: 7005 0
02/12/07 11:28:14 [Note]: 7006 0
02/12/07 11:28:14 [Note]: 7022 0
02/12/07 11:28:14 [Note]: 7011 1684
02/12/07 11:28:14 [Note]: 7026 0
02/12/07 11:28:14 [Note]: 7026 0
02/12/07 11:28:16 [Note]: FSRAW library version 1.7.1021
02/12/07 11:28:54 [Note]: 7007 0


HJT lot:
Logfile of HijackThis v1.99.1
Scan saved at 11:32:35 AM, on 2/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\hphmon03.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\HPHipm09.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\searching.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142632548796
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

Angelfire777
2007-02-13, 12:28
I have surfed the web for about an hour and only had one pop up, which is a large improvement. Also, this one pop up seems to be related to a certain website but I have pop ups blocked so not sure why it pops up. So far the amaena and the different gad-network.com ones and the many others haven't poppped up.

It could be what you are saying..Your logs look ok now, I'll post my recommendations to prevent reinfection and I will leave this topic open for 2 days so you can post back here if there will still be annoying popups..It may help too if you'll list down the addresses of the popups you will be receiving if ever there will be..


Hope it stays that way its frustrating when you use spyware, ad-aware and virus scanners and still end up with unwanted junk on your computer!. I am not sure if you have other steps for me to take but thank you for the help you have provided and the great directions you provided. Your instructions were so well written and easy to follow that so far I haven't had any trouble running the programs you suggested. Thanks

You're Welcome :)
_______________________

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
______________________

This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore

Select Create a restore point, and Ok it.

Next, go to Start > Run and type in cleanmgr

Select the More options tab

Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!

Ssnap
2007-02-15, 18:06
I updaged my java and read the post How did I get infected in the first place. I made changed to my internet options and all was working well but now I can't acccess my set homepage IE just sits there and flicker. I can't even use the drop down bar for a different address till I click stop. I went back and put prompt for cookies but still can't access the website. Its comcast website and its my computer because my husband can access the site on his. Also notice I can't post on some forums it tells me my session has timed out even tho I just logged on to the site.

Ssnap
2007-02-15, 18:06
Oh I also installed winpatrol and spyware gaurd.

Angelfire777
2007-02-16, 06:49
I made changed to my internet options and all was working well but now I can't acccess my set homepage IE just sits there and flicker.

Did that problem arise when you changed the internet options? And please tell me what options did you exactly change..

Ssnap
2007-02-16, 18:08
No, the problem didn't arise when I made the changes in IE and I have set them all back to default and still can't access comcast.net. Its just odd the only way I can leave my homepage is by hitting the red x (stop) then I can access the address drop down to go to a different site. When I first open my browser it acts like the homepage is trying to download but it never does. I have also noticed with IE it shuts down often and states its experienced some difficulty the type where you have the option to send a report.

I changeed the active x section - In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable". Also ran Jason Levine's Browser Security Test and made the changes that it suggested. Sorry I can't remember what all they were but like I said eventually set everything back to default just to see if that would work when it didn't I downloaded firefox which seems to work fine.

Ssnap
2007-02-16, 18:36
Just in case you wanted a new one.

Logfile of HijackThis v1.99.1
Scan saved at 10:34:28 AM, on 2/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\searching.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142632548796
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

Angelfire777
2007-02-17, 11:35
Hi, let's try to run a scan...

Download ComboScan (http://www.techsupportforum.com/sectools/Deckard/comboscan.exe) to your Desktop.

1. Close all applications and windows.
2. Double-click on comboscan.exe to run it, and follow the prompts.
3. When the scan is complete, a text file will open - ComboScan.txt
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum.
5. A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
6. Please copy and paste the contents of Supplementary.txt to your post.


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Ssnap
2007-02-17, 18:07
Just want to make sure you want me to make a post on highjackthis forum? I wasn't sure and wasn't sure if the url but did a search is this the forum? http://www.techsupportforum.com/security-center/hijackthis-log-help/

Angelfire777
2007-02-18, 03:30
I'm sorry if the instruction was a bit unclear..This is the HijackThis log forum :)

You just need to post the contents of the comboscan.txt and supplementary.txt to your next reply..:bigthumb:

Ssnap
2007-02-18, 19:49
Well guess it could be my fault for not knowing exactly what board I was posting on in the first place!

ComboScan v20070212.14 run by Mine on 2007-02-17 at 10:35:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis log (run as Mine.com) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:35:27 AM, on 2/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\HPHipm09.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Mine\Desktop\comboscan.exe
C:\DOCUME~1\Mine\LOCALS~1\Temp\~phzkvtu.tmp\Mine.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142632548796
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe


-- HijackThis Fixed Entries (E:\hijackthis\backups\) ----------------------------

backup-20070212-105940-729 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
backup-20070212-105940-708 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - system32\drivers\ALCXWDM.SYS
3 Dot4 HPH09 - system32\DRIVERS\hphid409.sys
3 Dot4Print HPH09 (Print Class Driver for IEEE-1284.4 HPH09) - system32\DRIVERS\hphipr09.sys
3 Dot4Storage HPH09 (Storage Class Driver for IEEE-1284.4 (HPH09)) - System32\Drivers\hphs2k09.sys
3 Dot4Usb HPH09 - System32\drivers\hphius09.sys
3 FETND5BV (VIA Rhine-Family Fast Ethernet Adapter Driver Service) - system32\DRIVERS\fetnd5bv.sys
3 FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - system32\DRIVERS\fetnd5.sys
0 gagp30kx (Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms) - system32\DRIVERS\gagp30kx.sys
3 hidusb (Microsoft HID Class Driver) - system32\DRIVERS\hidusb.sys
1 kbdhid (Keyboard HID Driver) - system32\DRIVERS\kbdhid.sys
3 mouhid (Mouse HID Driver) - system32\DRIVERS\mouhid.sys
3 MTsensor (ATK0110 ACPI UTILITY) - system32\DRIVERS\ASACPI.sys
3 NaiAvFilter1 - system32\drivers\naiavf5x.sys
3 nv - system32\DRIVERS\nv4_mini.sys
0 PCIIde - system32\DRIVERS\pciide.sys
2 tmcomm - \??\C:\WINDOWS\system32\drivers\tmcomm.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - system32\DRIVERS\usbccgp.sys
0 ViaIde - system32\DRIVERS\viaide.sys
3 WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - system32\DRIVERS\WudfPf.sys
3 WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - system32\DRIVERS\wudfrd.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
3 clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
3 IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
2 McDetect.exe (McAfee WSC Integration) - c:\program files\mcafee.com\agent\mcdetect.exe
2 McShield (McAfee.com McShield) - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
2 McTskshd.exe (McAfee Task Scheduler) - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
3 mcupdmgr.exe (McAfee SecurityCenter Update Manager) - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
2 NVSvc (NVIDIA Display Driver Service) - %SystemRoot%\system32\nvsvc32.exe
3 Pml Driver - C:\WINDOWS\system32\HPHipm09.exe
3 usnjsvc (Messenger Sharing Folders USN Journal Reader service) - "C:\Program Files\MSN Messenger\usnsvc.exe"
2 WinDefend (Windows Defender) - "C:\Program Files\Windows Defender\MsMpEng.exe"
3 WMPNetworkSvc (Windows Media Player Network Sharing Service) - "C:\Program Files\Windows Media Player\WMPNetwk.exe"
3 WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - %SystemRoot%\system32\svchost.exe -k WudfServiceGroup


-- Scheduled Tasks --------------------------------------------------------------

2007-02-17 09:53:50 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>
2007-02-16 18:30:02 358 --a------ C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job<PCHEAL~1.JOB>
2007-02-07 19:00:02 502 --a------ C:\WINDOWS\Tasks\Tune-up Application Start.job<TUNE-U~1.JOB>


-- Files created between 2007-01-17 and 2007-02-17 ------------------------------

2007-02-15 18:53:53 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-15 18:53:43 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-15 18:44:46 0 d-------- C:\Documents and Settings\Mine\Application Data\RegistrySmart<REGIST~1>
2007-02-13 17:12:29 0 d-------- C:\Documents and Settings\Mine\Application Data\WinPatrol<WINPAT~1>
2007-02-13 17:12:24 0 d-------- C:\Program Files\BillP Studios<BILLPS~1>
2007-02-13 17:12:13 0 d-------- C:\WINDOWS\Downloaded Installations<DOWNLO~2>
2007-02-13 17:02:13 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~1>
2007-02-13 13:55:51 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-02-13 13:49:15 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL<Unsigned: Microsoft Corporation>
2007-02-13 11:39:43 0 d-------- C:\Program Files\Java
2007-02-13 11:39:41 0 d-------- C:\Program Files\Common Files\Java
2007-02-12 11:17:30 0 d-------- C:\Blacklight<BLACKL~1>
2007-02-12 11:13:28 0 d-------- C:\WINDOWS\system32\bfubackups<BFUBAC~1>
2007-02-11 11:33:37 1048576 --ah----- C:\Documents and Settings\Administrator.MINE\ntuser.dat
2007-02-10 21:24:11 0 d-------- C:\bintheredunthat<BINTHE~1>
2007-02-10 20:21:19 524288 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2007-02-10 20:20:40 0 d--hs---- C:\FOUND.001
2007-02-10 19:43:36 0 d-------- C:\BFU
2007-02-10 13:12:35 0 d-------- C:\Program Files\Grisoft
2007-02-10 13:06:56 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-02-06 11:48:46 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE<Unsigned: n/a>
2007-02-06 11:19:01 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-02-05 21:17:17 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys<Signed: Trend Micro Inc.>
2007-02-05 21:16:29 0 d-------- C:\Documents and Settings\Mine\.housecall6.6<HOUSEC~1.6>
2007-02-05 20:24:48 0 d-------- C:\WINDOWS\Sun
2007-02-05 20:24:48 0 d-------- C:\Documents and Settings\Mine\Application Data\Sun
2007-02-02 19:44:42 0 d-------- C:\Documents and Settings\Mine\Application Data\DivX
2007-02-02 19:43:56 0 d-------- C:\Program Files\DivX
2007-02-01 15:52:07 264754 --a------ C:\WINDOWS\system32\jhdzwsitif_nav.dat<JHDZWS~3.DAT>
2007-02-01 15:51:43 0 d-------- C:\Documents and Settings\Mine\Application Data\MessengerSkinner<MESSEN~1>
2007-02-01 15:51:35 2325 --a------ C:\WINDOWS\system32\jhdzwsitif_navps.dat<JHDZWS~2.DAT>
2007-02-01 15:51:31 303104 --a------ C:\WINDOWS\system32\jhdzwsitif.exe<JHDZWS~1.EXE><Unsigned: n/a>
2007-02-01 15:51:31 4336 --a------ C:\WINDOWS\system32\jhdzwsitif.dat<JHDZWS~1.DAT>
2007-01-29 20:02:52 0 d-------- C:\Program Files\Real
2007-01-29 19:56:15 0 d-------- C:\My Downloads<MYDOWN~1>
2007-01-19 21:51:56 0 d-------- C:\Downloads<DOWNLO~1>
2007-01-19 21:51:56 0 d-------- C:\Documents and Settings\Mine\Application Data\GetRightToGo<GETRIG~1>
2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll<Signed: Microsoft Corp.>


-- Find3M Report ----------------------------------------------------------------

2007-02-15 18:53:52 0 d-------- C:\Documents and Settings\Mine\Application Data\Mozilla
2007-01-16 22:07:26 0 d-------- C:\Program Files\GetRight
2007-01-08 17:23:30 0 d-------- C:\Program Files\Windows Journal Viewer<WI96D0~1>
2006-12-29 20:50:14 0 d-------- C:\Program Files\Windows Media Connect 2<WINDOW~4>
2006-12-20 11:29:42 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray"="SysTray.Exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HPHmon03"="C:\\WINDOWS\\system32\\hphmon03.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"RegistryMechanic"=""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Hidserv"="Hidserv.exe run"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of ComboScan: finished at 2007-02-17 at 10:35:51 -------------------------

Ssnap
2007-02-18, 19:50
ComboScan v20070212.14 run by Mine on 2007-02-17 at 10:35:18
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) 64 Processor 3200+
Percentage of Memory in Use: 20%
Physical Memory (total/avail): 2047.23 MiB / 1633.02 MiB
Pagefile Memory (total/avail): 4546.8 MiB / 4297.04 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1997.81 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 46.72 GiB total, 31.69 GiB free.
D: is Fixed (FAT32) - 46.67 GiB total, 41.85 GiB free.
E: is Fixed (FAT32) - 46.89 GiB total, 32.21 GiB free.
F: is Fixed (FAT32) - 45.99 GiB total, 37.57 GiB free.
G: is CDROM (CDFS)
H: is CDROM (No Media)
L: is Removable (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: McAfee VirusScan v (McAfee)


-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Mine\Application Data
CLASSPATH=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MINE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Mine
LOGONSERVER=\\MINE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f02
ProgramFiles=C:\Program Files
PROMPT=$p$g
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Mine\LOCALS~1\Temp
TMP=C:\DOCUME~1\Mine\LOCALS~1\Temp
USERDOMAIN=MINE
USERNAME=Mine
USERPROFILE=C:\Documents and Settings\Mine
winbootdir=C:\WINDOWS
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

Mine (admin)
Administrator.MINE (new local, admin)


-- Add/Remove Programs ----------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Alinco Decal Plugin --> MsiExec.exe /I{3147E71C-C5B9-4322-A9FF-4877DB804295}
Alinco Filter --> MsiExec.exe /I{F1BEB8A6-2756-4A42-B155-A9BA71F9ECBC}
Asheron's Call: Throne of Destiny --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF455208-C302-4FB3-B21D-F7CBB03DDE5A}\Setup.exe" -l0x9 -removeonly
Decal 3.0 (Alpha 7: 2.9.5.0) --> MsiExec.exe /I{E58578E4-1141-4FBB-9381-E66E50D9037F}
Decal 3.0 (Alpha 8: 2.9.6.0) --> MsiExec.exe /I{6127968F-398E-45E2-A487-0A3BD89D3F4F}
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
HijackThis 1.99.1 --> E:\hijackthis\HijackThis.exe /uninstall
HP Image Zone Express --> MsiExec.exe /X{759524D5-08C9-4E88-8EB3-8D6ECB226C52}
hp photosmart printer series (Remove only) --> C:\Program Files\hp photosmart\printer\hphuni03.exe
Java(TM) SE Development Kit 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160000}
Java(TM) SE Runtime Environment 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
LifeTank X --> MsiExec.exe /I{2C8471EC-67D7-4518-88F9-32D57BB2EBDF}
LifeTank XI --> MsiExec.exe /I{642BF531-FDFD-4035-A068-E277924D57D4}
Make It! --> MsiExec.exe /I{1F06459A-C9E3-4249-A29F-5D8B18F3A0E1}
McAfee SecurityCenter --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=msc /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\screm.ui::uninstall.htm
McAfee VirusScan --> c:\PROGRA~1\mcafee.com\shared\mcappins.exe /v=3 /uninstall=1 /appid=vso /interact=1 /script_proactive=0 /start=c:\PROGRA~1\mcafee.com\agent\uninst\vsoremui.dll::uninstall.htm
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Mozilla Firefox (2.0.0.1) --> C:\Program Files\Mozilla Firefox\uninstall\uninst.exe
MSN Music Assistant --> rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Registry Mechanic 5.2 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Rhapsody --> C:\PROGRA~1\RHAPSODY\UNWISE32.EXE /A C:\PROGRA~1\RHAPSODY\install.log
SCRABBLE --> C:\Program Files\\GH-SCRABBLE\uninstall.exe
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "D:\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
The Lord of the Rings Online™: Shadows of Angmar™ v06.11.30.134 --> "C:\Program Files\Turbine\The Lord of the Rings Online\unins000.exe"
VIA Rhine-Family Fast Ethernet Adapter --> Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
Virtual Villagers 1.0 --> F:\Virtual Villagers\uninst.exe
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Uninstall --> %SYSTEMROOT%\system32\osuninst.exe
WinPatrol 2007 Restore/Remove First --> C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe -remove
WinPatrol 2007 Step 2 --> MsiExec.exe /X{736CE9DD-F589-485B-ACFF-78C235A57066}
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe


-- End of ComboScan: finished at 2007-02-17 at 10:35:51 -------------------------

Angelfire777
2007-02-19, 02:35
This isn't right...The infection you had was never cleaned..Blacklight should've detected those too..

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

Please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select EGDACCESS.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png again and this time select aftermath.bfu
Press Execute and let it do it’s job.
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot to normal mode.

Please run comboscan again then post the contents of comboscan.txt..You don't need to post supplementary.txt anymore...

Ssnap
2007-02-19, 19:29
When I run the EGDACCESS.bfu.txt I do see progress bar when I ran the aftermath.bfu.txt it either goes so quicky I don't see the bar the okay or complete box pops open immediately. I was disconnected from the modem and the router.


ComboScan v20070212.14 run by Mine on 2007-02-19 at 11:18:49
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis log (run as Mine.com) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:18:58 AM, on 2/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Mine\Desktop\comboscan.exe
C:\DOCUME~1\Mine\LOCALS~1\Temp\~vrmwqty.tmp\Mine.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142632548796
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe


-- HijackThis Fixed Entries (E:\hijackthis\backups\) ----------------------------

backup-20070212-105940-729 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
backup-20070212-105940-708 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

3 ALCXWDM (Service for Realtek AC97 Audio (WDM)) - system32\drivers\ALCXWDM.SYS
3 Dot4 HPH09 - system32\DRIVERS\hphid409.sys
3 Dot4Print HPH09 (Print Class Driver for IEEE-1284.4 HPH09) - system32\DRIVERS\hphipr09.sys
3 Dot4Storage HPH09 (Storage Class Driver for IEEE-1284.4 (HPH09)) - System32\Drivers\hphs2k09.sys
3 Dot4Usb HPH09 - System32\drivers\hphius09.sys
3 FETND5BV (VIA Rhine-Family Fast Ethernet Adapter Driver Service) - system32\DRIVERS\fetnd5bv.sys
3 FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - system32\DRIVERS\fetnd5.sys
0 gagp30kx (Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms) - system32\DRIVERS\gagp30kx.sys
3 hidusb (Microsoft HID Class Driver) - system32\DRIVERS\hidusb.sys
1 kbdhid (Keyboard HID Driver) - system32\DRIVERS\kbdhid.sys
3 mouhid (Mouse HID Driver) - system32\DRIVERS\mouhid.sys
3 MTsensor (ATK0110 ACPI UTILITY) - system32\DRIVERS\ASACPI.sys
3 NaiAvFilter1 - system32\drivers\naiavf5x.sys
3 nv - system32\DRIVERS\nv4_mini.sys
0 PCIIde - system32\DRIVERS\pciide.sys
2 tmcomm - \??\C:\WINDOWS\system32\drivers\tmcomm.sys
3 usbccgp (Microsoft USB Generic Parent Driver) - system32\DRIVERS\usbccgp.sys
0 ViaIde - system32\DRIVERS\viaide.sys
3 WudfPf (Windows Driver Foundation - User-mode Driver Framework Platform Driver) - system32\DRIVERS\WudfPf.sys
3 WudfRd (Windows Driver Foundation - User-mode Driver Framework Reflector) - system32\DRIVERS\wudfrd.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 aspnet_state (ASP.NET State Service) - %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
3 clr_optimization_v2.0.50727_32 (.NET Runtime Optimization Service v2.0.50727_X86) - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
3 IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
2 McDetect.exe (McAfee WSC Integration) - c:\program files\mcafee.com\agent\mcdetect.exe
2 McShield (McAfee.com McShield) - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
2 McTskshd.exe (McAfee Task Scheduler) - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
3 mcupdmgr.exe (McAfee SecurityCenter Update Manager) - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
2 NVSvc (NVIDIA Display Driver Service) - %SystemRoot%\system32\nvsvc32.exe
3 Pml Driver - C:\WINDOWS\system32\HPHipm09.exe
3 usnjsvc (Messenger Sharing Folders USN Journal Reader service) - "C:\Program Files\MSN Messenger\usnsvc.exe"
2 WinDefend (Windows Defender) - "C:\Program Files\Windows Defender\MsMpEng.exe"
3 WMPNetworkSvc (Windows Media Player Network Sharing Service) - "C:\Program Files\Windows Media Player\WMPNetwk.exe"
3 WudfSvc (Windows Driver Foundation - User-mode Driver Framework) - %SystemRoot%\system32\svchost.exe -k WudfServiceGroup


-- Scheduled Tasks --------------------------------------------------------------

2007-02-19 11:17:12 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>
2007-02-18 20:21:04 358 --a------ C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job<PCHEAL~1.JOB>
2007-02-07 19:00:02 502 --a------ C:\WINDOWS\Tasks\Tune-up Application Start.job<TUNE-U~1.JOB>


-- Files created between 2007-01-19 and 2007-02-19 ------------------------------

2007-02-15 18:53:53 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-15 18:53:43 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-15 18:44:46 0 d-------- C:\Documents and Settings\Mine\Application Data\RegistrySmart<REGIST~1>
2007-02-13 17:12:29 0 d-------- C:\Documents and Settings\Mine\Application Data\WinPatrol<WINPAT~1>
2007-02-13 17:12:24 0 d-------- C:\Program Files\BillP Studios<BILLPS~1>
2007-02-13 17:12:13 0 d-------- C:\WINDOWS\Downloaded Installations<DOWNLO~2>
2007-02-13 17:02:13 0 d-------- C:\Program Files\SpywareGuard<SPYWAR~1>
2007-02-13 13:55:51 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-02-13 13:49:15 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL<Unsigned: Microsoft Corporation>
2007-02-13 11:39:43 0 d-------- C:\Program Files\Java
2007-02-13 11:39:41 0 d-------- C:\Program Files\Common Files\Java
2007-02-12 11:17:30 0 d-------- C:\Blacklight<BLACKL~1>
2007-02-12 11:13:28 0 d-------- C:\WINDOWS\system32\bfubackups<BFUBAC~1>
2007-02-11 11:33:37 1048576 --ah----- C:\Documents and Settings\Administrator.MINE\ntuser.dat
2007-02-10 21:24:11 0 d-------- C:\bintheredunthat<BINTHE~1>
2007-02-10 20:21:19 524288 --ah----- C:\Documents and Settings\Administrator\ntuser.dat
2007-02-10 20:20:40 0 d--hs---- C:\FOUND.001
2007-02-10 19:43:36 0 d-------- C:\BFU
2007-02-10 13:12:35 0 d-------- C:\Program Files\Grisoft
2007-02-10 13:06:56 0 d-------- C:\VundoFix Backups<VUNDOF~1>
2007-02-06 11:48:46 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE<Unsigned: n/a>
2007-02-06 11:19:01 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-02-05 21:17:17 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys<Signed: Trend Micro Inc.>
2007-02-05 21:16:29 0 d-------- C:\Documents and Settings\Mine\.housecall6.6<HOUSEC~1.6>
2007-02-05 20:24:48 0 d-------- C:\WINDOWS\Sun
2007-02-05 20:24:48 0 d-------- C:\Documents and Settings\Mine\Application Data\Sun
2007-02-02 19:44:42 0 d-------- C:\Documents and Settings\Mine\Application Data\DivX
2007-02-02 19:43:56 0 d-------- C:\Program Files\DivX
2007-02-01 15:51:43 0 d-------- C:\Documents and Settings\Mine\Application Data\MessengerSkinner<MESSEN~1>
2007-01-29 20:02:52 0 d-------- C:\Program Files\Real
2007-01-29 19:56:15 0 d-------- C:\My Downloads<MYDOWN~1>
2007-01-19 21:51:56 0 d-------- C:\Downloads<DOWNLO~1>
2007-01-19 21:51:56 0 d-------- C:\Documents and Settings\Mine\Application Data\GetRightToGo<GETRIG~1>
2007-01-19 12:53:04 51056 --a------ C:\WINDOWS\system32\sirenacm.dll<Signed: Microsoft Corp.>


-- Find3M Report ----------------------------------------------------------------

2007-02-15 18:53:52 0 d-------- C:\Documents and Settings\Mine\Application Data\Mozilla
2007-01-16 22:07:26 0 d-------- C:\Program Files\GetRight
2007-01-08 17:23:30 0 d-------- C:\Program Files\Windows Journal Viewer<WI96D0~1>
2006-12-29 20:50:14 0 d-------- C:\Program Files\Windows Media Connect 2<WINDOW~4>
2006-12-20 11:29:42 0 d-------- C:\Program Files\MSN Messenger<MSNMES~1>


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SystemTray"="SysTray.Exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HPHmon03"="C:\\WINDOWS\\system32\\hphmon03.exe"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"RegistryMechanic"=""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"WinPatrol"="C:\\Program Files\\BillP Studios\\WinPatrol\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Hidserv"="Hidserv.exe run"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of ComboScan: finished at 2007-02-19 at 11:19:24 -------------------------

Angelfire777
2007-02-20, 12:19
Hi, it looks better now..Do you still have problems accessing the comcast website?

Ssnap
2007-02-20, 18:34
The comcast page still does the same like its loading but never does and have to hit the red x to stop it. Also some webpages that I have accounts on don't recognize when I log on its just odd. Like I said to get around this I installed firefox and visit those websites witht that browsers. It works but is kinda annoying having to use two browsers Just don't understand why IE won't access the sights. Thanks so much for the help it was mostly the pop ups that were driving me crazy!

Angelfire777
2007-02-21, 12:19
Let's try this:

Please download DelDomains (http://www.mvps.org/winhelp2002/DelDomains.inf) by WinHelp2002 and save it to your desktop:
Right-click on DelDomains.inf, and choose Install.
You may not see any noticeable changes or prompts; this is normal.
Then, please restart your computer, and post a new HijackThis log.
You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot – Search & Destroy after doing this.


Post back with the results..

Ssnap
2007-02-21, 19:38
Still can't access comcast or log in to yahoo.com. I put my user name and password in but it just keeps going back to the log in page. Never did install IE-SPYAD or don't think I did but will re-immunize the others. thanks :)

Logfile of HijackThis v1.99.1
Scan saved at 11:33:35 AM, on 2/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
E:\hijackthis\searching.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download2.games.yahoo.com/games/clients/y/tt5_x.cab
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zone.msn.com/binary/Upwords.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142632548796
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab53083.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe

Angelfire777
2007-02-22, 12:26
Hi,

I don't think this issue is malware related..I'm sorry but my knowledge is only limited to malware removal and I have no knowledge of troubleshooting these kinds of problems..

I suggest that you register here: www.pcpitstop.com

then you can create a new thread in the appropriate forums and ask about your problem:)

Ssnap
2007-02-22, 18:35
Thanks for all your help it was the pop ups and being infected that was worrisome. The pop ups are gone and if my system is clear from infections using two browsers is not that big of a deal.

Thank you so much.

Angelfire777
2007-02-23, 16:29
Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.