Hello,

I've gotten nailed with the nastiest Malware I've ever gotten. I've tried running every antivirus/malware removal program I've come across (in safe mode and normal), to no avail. It's shutdown my Norton Antivirus (although I can still do scans), and rendered me unable to do a system restore (this may be due to some of the protective/removal programs I've run, although I'm not entirely sure).

Here is a posting of my HJT log--I'd be indebted to you if you could look it over.

Thank you for your time :)


Logfile of HijackThis v1.99.1
Scan saved at 10:28:09 PM, on 4/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Scope\app\bin\sfp.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\Johnny\Desktop\Malware Removal\Hijack This\HijackThis.exe
D:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe, D:\WINDOWS\system32\dporm.exe
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,okvvwjw.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InitPulsar] D:/Scope/app/bin/sfp.exe -s
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - D:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - D:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - D:\Program Files\allinpokerMPP\MPPoker.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126253515984
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Welcome to the forums fadeinlight

Create and run this batch file,

Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


Start /min Hijackthis.exe /autolog

Run check.bat and post back with the text that will open

And the results of this free online scan
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.

Hi Lonny, thanks for the quick response!

Logfile of HijackThis v1.99.1
Scan saved at 5:59:18 PM, on 4/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\system32\nfxnme.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\dporm.exe
D:\WINDOWS\system32\dporm.exe
D:\WINDOWS\system32\dporm.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Scope\app\bin\sfp.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Johnny\Desktop\Malware Removal\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: Shell=Explorer.exe, D:\WINDOWS\system32\dporm.exe
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,okvvwjw.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InitPulsar] D:/Scope/app/bin/sfp.exe -s
O4 - HKLM\..\Run: [mwcfmc] D:\WINDOWS\system32\nfxnme.exe reg_run
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [itjgn] D:\WINDOWS\system32\nfxnme.exe reg_run
O4 - Global Startup: fnjos.exe
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - D:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - D:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - D:\Program Files\allinpokerMPP\MPPoker.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126253515984
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Results of Kaspersky scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, April 07, 2006 8:03:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/04/2006
Kaspersky Anti-Virus database records: 186900
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 111798
Number of viruses found: 26
Number of infected objects: 80
Number of suspicious objects: 0
Duration of the scan process: 01:02:43

Infected Object Name / Virus Name / Last Action
C:\Downloads\Software Install\Program Files\Inet Delivery\INTDEL.EXE Infected: Trojan.Win32.Delf.ff skipped
C:\Downloads\Software Install\Program Files\Inet Delivery\INTDEL_2.exe Infected: Trojan.Win32.Delf.ff skipped
C:\System Volume Information\_restore{0EC1744E-26E1-4BC4-BAE3-9CBCCF982A27}\RP68\A0010244.dll Infected: not-a-virus:AdWare.Win32.OWS skipped
C:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040639.exe Infected: Trojan-Downloader.Win32.VB.zg skipped
C:\w.exe Infected: Trojan-Downloader.Win32.Agent.aie skipped
D:\Documents and Settings\Johnny\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\6E9E159E-A999-4735-89EF-1FE2E9\8680FFE4-4071-487E-9C94-8F4188 Infected: Trojan-Downloader.Win32.Agent.agw skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040252.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040253.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040258.exe Infected: Trojan-Downloader.Win32.PurityScan.be skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040261.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP242\A0040265.exe Infected: Trojan-Dropper.Win32.VB.kk skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040302.exe Infected: Trojan-Downloader.Win32.Adload.af skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040305.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040306.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040307.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040309.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040310.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040326.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040509.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040513.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040514.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040637.exe Infected: Exploit.HTML.ObjData skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP243\A0040638.exe Infected: Exploit.HTML.ObjData skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041709.exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041709.exe Inno: infected - 1 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041709.exe CryptFF: infected - 1 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041710.dll Infected: Trojan-Clicker.Win32.Small.jf skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041711.dll Infected: Trojan-Clicker.Win32.Small.jf skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041712.exe Infected: Trojan-Downloader.Win32.Adload.af skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041713.exe/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041713.exe Inno: infected - 1 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041713.exe CryptFF: infected - 1 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041714.exe Infected: Trojan-Downloader.Win32.Small.cjg skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041716.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.p skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041716.exe NSIS: infected - 1 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041716.exe CryptFF: infected - 1 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041717.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041718.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041719.exe Infected: Trojan-Downloader.Win32.VB.sh skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041720.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041721.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041722.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041723.exe/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041723.exe NSIS: infected - 1 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041723.exe CryptFF: infected - 1 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041725.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP244\A0041726.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP248\A0049210.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP248\A0049210.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP248\A0049210.exe NSIS: infected - 2 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049315.exe Infected: Exploit.HTML.ObjData skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049317.exe/data0001 Infected: Trojan-Clicker.Win32.Small.jf skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049317.exe NSIS: infected - 1 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049318.exe Infected: Exploit.HTML.ObjData skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049319.exe Infected: Trojan.Win32.VB.tg skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049320.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP254\A0049321.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP260\A0049697.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP260\A0049697.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP260\A0049697.exe NSIS: infected - 2 skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP261\A0049936.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP261\A0049936.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
D:\System Volume Information\_restore{DF707B6C-E923-4DD7-B999-5CF699EEBE6D}\RP261\A0049936.exe NSIS: infected - 2 skipped
D:\WINDOWS\country.exe Infected: Exploit.HTML.ObjData skipped
D:\WINDOWS\pss\fnjos.exeCommon Startup Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
D:\WINDOWS\system32\q3.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\WINDOWS\system32\q5.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\WINDOWS\system32\sdmqx.dat Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
D:\WINDOWS\system32\Setup94.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
D:\WINDOWS\system32\Setup94.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\system32\Setup94.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\system32\Setup94.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
D:\WINDOWS\system32\Setup94.exe NSIS: infected - 4 skipped
D:\WINDOWS\system32\Win3.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf skipped
D:\WINDOWS\system32\Win3.exe NSIS: infected - 1 skipped
D:\WINDOWS\system32\z1.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
D:\WINDOWS\system32\ѕystem32\logonui.exe Infected: Trojan-Downloader.Win32.PurityScan.w skipped
D:\WINDOWS\uniq Infected: Exploit.HTML.ObjData skipped
D:\WINDOWS\YazzleBundle-1119.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
D:\WINDOWS\YazzleBundle-1119.exe NSIS: infected - 1 skipped

Scan process completed.


Didn't come up with any viruses in scans before I got this adware...did it download them?

Regardless, thank you again for your time :)

Download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).
Unzip it to it’s own folder (c:\BFU) It must be unzipped and in the Root\BFU folder. Root equals the drive windows is installed to
So in your case make the BFU folder on D:\
Rightclick on this link and choose save target as, save qooFix.bat to that BFU folder.
http://downloads.subratam.org/Lon/qooFix.bat
Run qooFix.bat, Close all browsers and explorer folder's
Choose option 1 (Qoolfix autofix) and fallow the prompts
patience, it will take about five minutes.
After the PC has restarted

Delete these files and folder
C:\w.exe
D:\WINDOWS\country.exe
D:\WINDOWS\pss\fnjos.exe
D:\WINDOWS\system32\q3.exe
D:\WINDOWS\system32\q5.exe
D:\WINDOWS\system32\Setup94.exe
D:\WINDOWS\system32\Win3.exe
D:\WINDOWS\system32\z1.exe
D:\WINDOWS\system32\ѕystem32\logonui.exe
D:\WINDOWS\uniq
D:\WINDOWS\YazzleBundle-1119.exe
C:\Downloads\Software Install\Program Files\Inet Delivery
====================

D:\WINDOWS\pss
What else is in the PSS folder ?

D:\WINDOWS\system32\ѕystem32
What else is in that second system32 folder ?

Once back at the forum make/post another hijackthis log.

Hello Lonny :)

I was unable to locate this file:
D:\WINDOWS\system32\?ystem32\logonui.exe

The contents of the PSS folder are as follows:
Adobe Gamma Loader.exe.lnkCommon Startup
Adobe Gamma Loader.lnkCommon Startup
Adobe Reader Speed Launch.lnkCommon Startup
boot.ini.backup
LimeWire On Startup.lnkStartup
Microsoft Office.lnkCommon Startup
System.ini.backup
win.ini.backup

The contents of D:\WINDOWS\system32\?ystem32:
<empty folder> (I may have made this folder a long time ago while trying to change some settings, and forgotten to delete it)

Results of the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 1:48:39 AM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Scope\app\bin\sfp.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Johnny\Desktop\Malware Removal\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InitPulsar] D:/Scope/app/bin/sfp.exe -s
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - D:\Program Files\allinpokerMPP\MPPoker.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126253515984
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you so much for your help...this has really been bothering me :)

Start Hijackthis and place a check next to these items If there.
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
====================================
Hit fix checked and close Hijackthis.

Update then check for and fix any problems found with Spybot

Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
Replace it about once monthly to keep it updated


To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Are there any problems or questions now ?

Hello Lonny :)

Unfortunately, Spybot is still detecting Cmdservice :(. On a postive note, I've seen a boost in performance, and no unsolicited popups :)

Results of the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 2:07:11 PM, on 4/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Defender\MsMpEng.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Scope\app\bin\sfp.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Johnny\Desktop\Malware Removal\Hijack This\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [InitPulsar] D:/Scope/app/bin/sfp.exe -s
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunServer] D:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: All In Poker - {7FD14A80-30CB-434e-90A3-DEC1B1EA2014} - D:\Program Files\allinpokerMPP\MPPoker.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - D:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126253515984
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - D:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - D:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Note: I found the D:\WINDOWS\system32\ѕystem32\logonui.exe file, and deleted it after again running BFU as per your instructions. It turned out that I'd left the "hide system files/folders etc." checkbox checked.

Do you think I should reinstall Norton Antivirus? I noticed that they had adware Yazzle listed as a new threat on their main page. At the moment, the Auto-Protect feature is disabled.

Also, I've noticed that my hard drives seem to be at work at times when it doesn't seem that they should be (as if they were reading a large file or something). Norton Auto-Protect was serving as a basic firewall for me--do you think I should install Zone Alarm?

I've followed all of the instructions on the preventative measures link you posted (although I didn have to change my settings temporarily so I could get Kaspersky to work).

Thanks again for your help :)

Hi

Cmdservice is only a leftover, the permisions on the key are probaly messed up.

Please download and unzip Ren-cmdservice to your desktop.
It will only work correctly if the folder is placed on your desktop and extracted.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run SpyBot check for and fix any problems found.
In your next check it wont be there.

Frankly i would can nortons program's (uninstaller reboot) and install some other program's for an av and firewall.
Or uninstall reboot and install again, hopefully that will repair it.
There are several listed on the page i posted for you.

Lonny,

Everything is as you said it would be :)

Results of rencmdservice.bat:
Running from D:\Documents and Settings\Johnny\Desktop\ren-cmdservice
No Image Path Listed in Registry

Original perms.

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
Read NT AUTHORITY\INTERACTIVE
Full access BUILTIN\Administrators


-----------------
Adjusted permisions

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Effective permissions for Registry key HKLM\SYSTEM\CurrentControlSet\Services\cmdservice:
Full access BUILTIN\Administrators
Full access NT AUTHORITY\INTERACTIVE
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access NT AUTHORITY\SYSTEM


-----------------
Deleting cmdservie key
[SWSC] DeleteService FAIL
Delete Network Monitor if present
[SWSC] DeleteService FAIL
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
A Backup made was made, bakhive
Finised, Post the logit.txt then restart your PC please
ren-cmdservice.bat edited 2-4-2006
-----------------


Thank you so much for all of your help! I'm humbled by your knowledge. I'll be finished with bartending school in 3 weeks--if you ever find yourself in Vegas, send me an email at [Removed email address](make sure you put your name in the subject). Drinks will be on me :) Also, I'll be sending a donation as soon as humanly possible.

Thanks again!

Are there any current problems ?

As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.

Glad we could help. :)