View Full Version : PLEASE HELP!! Pop-ups, error msgs, slow overall performance (HTJ log included)
I have run spybot, adaware, and then ewido in safe mode. However, I still have frequent pop-ups and slow system performance. I also received numerous error msgs when I rebooted after running the above programs. Thank you in advance for your help.
---------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:23:55 PM, on 4/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\mousepad9.exe
C:\WINNT\pudpgsxA.exe
C:\WINNT\sys02113884113.exe
C:\WINNT\errorhandler.exe
C:\WINNT\win3207411311388.exe
C:\WINNT\sys09131138841.exe
C:\Program Files\?icrosoft.NET\chkntfs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\WINNT\system32\rundll32.exe
C:\PROGRA~1\STEM~1\wuauboot.exe
C:\Program Files\HiJack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r1.attbi.com
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Search - {A36C5646-85E9-161F-FF50-9E430444F721} - C:\WINNT\Fekqxqoi.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard9.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [pudpgsxA] C:\WINNT\pudpgsxA.exe
O4 - HKLM\..\Run: [sys02113884113] C:\WINNT\sys02113884113.exe
O4 - HKLM\..\Run: [w816baeb.dll] RUNDLL32.EXE w816baeb.dll,I2 0000ae7f0816baeb
O4 - HKLM\..\Run: [errorhandler] C:\WINNT\errorhandler.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINNT\system32\expload.exe
O4 - HKLM\..\Run: [ms04388411311] C:\WINNT\ms04388411311.exe
O4 - HKLM\..\Run: [win3207411311388] C:\WINNT\win3207411311388.exe
O4 - HKLM\..\Run: [w170fdec.dll] RUNDLL32.EXE w170fdec.dll,I2 0000ae7f0170fdec
O4 - HKLM\..\Run: [w00bca7b.dll] RUNDLL32.EXE w00bca7b.dll,I2 0000ae7f000bca7b
O4 - HKLM\..\Run: [w00357a4.dll] RUNDLL32.EXE w00357a4.dll,I2 0000ae7f000357a4
O4 - HKLM\..\Run: [w0024e07.dll] RUNDLL32.EXE w0024e07.dll,I2 0000ae7f00024e07
O4 - HKLM\..\Run: [w010d0fa.dll] RUNDLL32.EXE w010d0fa.dll,I2 0000ae7f0010d0fa
O4 - HKLM\..\Run: [w002a7d8.dll] RUNDLL32.EXE w002a7d8.dll,I2 0000ae7f0002a7d8
O4 - HKLM\..\Run: [w006d1fc.dll] RUNDLL32.EXE w006d1fc.dll,I2 0000ae7f0006d1fc
O4 - HKLM\..\Run: [w002502d.dll] RUNDLL32.EXE w002502d.dll,I2 0000ae7f0002502d
O4 - HKLM\..\Run: [w0023576.dll] RUNDLL32.EXE w0023576.dll,I2 0000ae7f00023576
O4 - HKLM\..\Run: [w004e8a6.dll] RUNDLL32.EXE w004e8a6.dll,I2 0000ae7f0004e8a6
O4 - HKLM\..\Run: [w00244f3.dll] RUNDLL32.EXE w00244f3.dll,I2 0000ae7f000244f3
O4 - HKLM\..\Run: [w001836e.dll] RUNDLL32.EXE w001836e.dll,I2 0000ae7f0001836e
O4 - HKLM\..\Run: [w037e96e.dll] RUNDLL32.EXE w037e96e.dll,I2 0000ae7f0037e96e
O4 - HKLM\..\Run: [w00144e1.dll] RUNDLL32.EXE w00144e1.dll,I2 0000ae7f000144e1
O4 - HKLM\..\Run: [w002494b.dll] RUNDLL32.EXE w002494b.dll,I2 0000ae7f0002494b
O4 - HKLM\..\Run: [w00b7995.dll] RUNDLL32.EXE w00b7995.dll,I2 0000ae7f000b7995
O4 - HKLM\..\Run: [w003718a.dll] RUNDLL32.EXE w003718a.dll,I2 0000ae7f0003718a
O4 - HKLM\..\Run: [w002cb67.dll] RUNDLL32.EXE w002cb67.dll,I2 0000ae7f0002cb67
O4 - HKLM\..\Run: [sys09131138841] C:\WINNT\sys09131138841.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Brct] "C:\PROGRA~1\STEM~1\wuauboot.exe" -vt ndrv
O4 - HKCU\..\Run: [Xdque] C:\Program Files\?icrosoft.NET\chkntfs.exe
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.17.23/06edaa62e650d23c7023/netzip/RdxIE.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seattleu.edu
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINNT\system32\OUGHYA~1.DLL
O20 - Winlogon Notify: ModuleUsage - C:\WINNT\system32\guard.tmp (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINNT\system32\k6lq0g35e6.dll
O23 - Service: AllWirelessLansService - Unknown owner - C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q2hyaXN0b3BoZXIgS2F0YWhpcmE\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LanSupportService - Unknown owner - C:\Program Files\Common Files\3Com\LanSupportService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\system32\ZipToA.exe
Hello and welcome.. :)
==
Please print these instructions out, or write them down, as you can't read them during the fix.
Please download Look2Me-Destroyer (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Before continuing with the fix there is something you must do:
Click Start -> Run and type in: services.msc
Check that the following service is running and that its startup is set to automatic:
Runas
Next your machine needs to be offline, manually disconnect the network cable if necessary.
Your antivirus, and every other security software MUST be disabled.
Now continue:
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Re-launch your Anti-virus/Firewall protection.
Re-connect back to the internet.
Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log. :bigthumb:
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
Thank you so much for your quick response. I have posted the contents of Look2Me-Destroyer.txt and a fresh HiJackThis log below. Also, when I rebooted after running Look2Me-Destroyer, I received 18 "RUNDLL" error msgs that "Error loading -------.dll, The specified module could not be found." Then the cascading "RUNDLL" msgs end with one that reads, "Error loading C:\PROGRA~1\NEWDOT~\NEWDOT~2.DLL." It then reads as the other 18 or so did, "The specified module could not be found." Again, thank you for your help.
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 4/9/2006 8:59:10 PM
Infected! C:\WINNT\system32\irr2l59o1.dll
Infected! C:\WINNT\system32\guard.tmp
Infected! C:\WINNT\SYSTEM32\irr2l59o1.dll
Infected! C:\WINNT\SYSTEM32\o0840alqedqe0.dll
Infected! C:\WINNT\system32\guard.tmp
Attempting to delete infected files...
Attempting to delete: C:\WINNT\system32\irr2l59o1.dll
C:\WINNT\system32\irr2l59o1.dll Deleted successfully!
Attempting to delete: C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp Deleted successfully!
Attempting to delete: C:\WINNT\SYSTEM32\irr2l59o1.dll
C:\WINNT\SYSTEM32\irr2l59o1.dll Deleted successfully!
Attempting to delete: C:\WINNT\SYSTEM32\o0840alqedqe0.dll
C:\WINNT\SYSTEM32\o0840alqedqe0.dll Deleted successfully!
Attempting to delete: C:\WINNT\system32\guard.tmp
C:\WINNT\system32\guard.tmp Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ModuleUsage
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FE2E1250-B3B8-45A5-A8F5-64A88A4D964E}"
HKCR\Clsid\{FE2E1250-B3B8-45A5-A8F5-64A88A4D964E}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B213775B-6606-4764-ABFC-24D92A707E09}"
HKCR\Clsid\{B213775B-6606-4764-ABFC-24D92A707E09}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DE71F890-565C-43B6-8ADB-0879DD77B5E7}"
HKCR\Clsid\{DE71F890-565C-43B6-8ADB-0879DD77B5E7}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4DDF0CC6-8AB2-4655-BE0B-54BA6E8887D4}"
HKCR\Clsid\{4DDF0CC6-8AB2-4655-BE0B-54BA6E8887D4}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{99CCF1D6-F032-4B9E-8AF0-19DC7DBA8362}"
HKCR\Clsid\{99CCF1D6-F032-4B9E-8AF0-19DC7DBA8362}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Logfile of HijackThis v1.99.1
Scan saved at 9:09:40 PM, on 4/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\mousepad9.exe
C:\WINNT\pudpgsxA.exe
C:\WINNT\sys02113884113.exe
C:\WINNT\errorhandler.exe
C:\WINNT\win3207411311388.exe
C:\WINNT\sys09131138841.exe
C:\PROGRA~1\STEM~1\wuauboot.exe
C:\Program Files\?icrosoft.NET\chkntfs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\HiJack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r1.attbi.com
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Search - {A36C5646-85E9-161F-FF50-9E430444F721} - C:\WINNT\Fekqxqoi.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [pudpgsxA] C:\WINNT\pudpgsxA.exe
O4 - HKLM\..\Run: [sys02113884113] C:\WINNT\sys02113884113.exe
O4 - HKLM\..\Run: [w816baeb.dll] RUNDLL32.EXE w816baeb.dll,I2 0000ae7f0816baeb
O4 - HKLM\..\Run: [errorhandler] C:\WINNT\errorhandler.exe
O4 - HKLM\..\Run: [expload.exe] C:\WINNT\system32\expload.exe
O4 - HKLM\..\Run: [ms04388411311] C:\WINNT\ms04388411311.exe
O4 - HKLM\..\Run: [win3207411311388] C:\WINNT\win3207411311388.exe
O4 - HKLM\..\Run: [w170fdec.dll] RUNDLL32.EXE w170fdec.dll,I2 0000ae7f0170fdec
O4 - HKLM\..\Run: [w00bca7b.dll] RUNDLL32.EXE w00bca7b.dll,I2 0000ae7f000bca7b
O4 - HKLM\..\Run: [w00357a4.dll] RUNDLL32.EXE w00357a4.dll,I2 0000ae7f000357a4
O4 - HKLM\..\Run: [w0024e07.dll] RUNDLL32.EXE w0024e07.dll,I2 0000ae7f00024e07
O4 - HKLM\..\Run: [w010d0fa.dll] RUNDLL32.EXE w010d0fa.dll,I2 0000ae7f0010d0fa
O4 - HKLM\..\Run: [w002a7d8.dll] RUNDLL32.EXE w002a7d8.dll,I2 0000ae7f0002a7d8
O4 - HKLM\..\Run: [w006d1fc.dll] RUNDLL32.EXE w006d1fc.dll,I2 0000ae7f0006d1fc
O4 - HKLM\..\Run: [w002502d.dll] RUNDLL32.EXE w002502d.dll,I2 0000ae7f0002502d
O4 - HKLM\..\Run: [w0023576.dll] RUNDLL32.EXE w0023576.dll,I2 0000ae7f00023576
O4 - HKLM\..\Run: [w004e8a6.dll] RUNDLL32.EXE w004e8a6.dll,I2 0000ae7f0004e8a6
O4 - HKLM\..\Run: [w00244f3.dll] RUNDLL32.EXE w00244f3.dll,I2 0000ae7f000244f3
O4 - HKLM\..\Run: [w001836e.dll] RUNDLL32.EXE w001836e.dll,I2 0000ae7f0001836e
O4 - HKLM\..\Run: [w037e96e.dll] RUNDLL32.EXE w037e96e.dll,I2 0000ae7f0037e96e
O4 - HKLM\..\Run: [w00144e1.dll] RUNDLL32.EXE w00144e1.dll,I2 0000ae7f000144e1
O4 - HKLM\..\Run: [w002494b.dll] RUNDLL32.EXE w002494b.dll,I2 0000ae7f0002494b
O4 - HKLM\..\Run: [w00b7995.dll] RUNDLL32.EXE w00b7995.dll,I2 0000ae7f000b7995
O4 - HKLM\..\Run: [w003718a.dll] RUNDLL32.EXE w003718a.dll,I2 0000ae7f0003718a
O4 - HKLM\..\Run: [w002cb67.dll] RUNDLL32.EXE w002cb67.dll,I2 0000ae7f0002cb67
O4 - HKLM\..\Run: [sys09131138841] C:\WINNT\sys09131138841.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Brct] "C:\PROGRA~1\STEM~1\wuauboot.exe" -vt ndrv
O4 - HKCU\..\Run: [Xdque] C:\Program Files\?icrosoft.NET\chkntfs.exe
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.17.23/06edaa62e650d23c7023/netzip/RdxIE.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seattleu.edu
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINNT\system32\OUGHYA~1.DLL
O23 - Service: AllWirelessLansService - Unknown owner - C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Q2hyaXN0b3BoZXIgS2F0YWhpcmE\command.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LanSupportService - Unknown owner - C:\Program Files\Common Files\3Com\LanSupportService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\system32\ZipToA.exe
I received 18 "RUNDLL" error msgs that "Error loading -------.dll, The specified module could not be found." Then the cascading "RUNDLL" msgs end with one that reads, "Error loading C:\PROGRA~1\NEWDOT~\NEWDOT~2.DLL." It then reads as the other 18 or so did, "The specified module could not be found."
Not surprising a bit, you have badly infected PC but we'll get it cleaned up ;)
Lets continue.
==
Please print these instructions out, or write them down, as you can't read them during the fix.
1. Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/ (http://www.ewido.net/en/download/)
Please read Ewido Setup Instructions (http://rstones12.geekstogo.com/ewidosetup.htm)
Install it, and update the definitions to the newest files. Do NOT run a scan yet.
==
2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right-click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk ( C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
==
4. Please download delcmdservice (http://users.telenet.be/marcvn/tools/delcmdservice.zip) (by Marckie), and save it to your Desktop.
Unzip the content to your Desktop (a folder named delcmdservice)
Do not do anything with these yet!
==
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
==
5. Once in Safe Mode, Run Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido anti-malware.
==
6. Run Delcmdservice:
Double-click on the delcmdservice folder.
Double-click on delreg.bat to launch the tool.
When the tool has finished, close it.
==
7. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
In the Scriptline to execute field type or paste c:\bfu\alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the Complete script execution box to pop up and hit OK.
Press Exit to terminate the BFU program.
Reboot into normal Windows and post the contents of Ewido log that you saved along with a fresh HiJackThis log. :bigthumb:
Here are the Ewido and HJT logs as requested:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 12:08:39 AM, 4/11/2006
+ Report-Checksum: 8B2CEFC5
+ Scan result:
C:\WINNT\pudpgsxA.exe -> Hijacker.VB.ij : Cleaned with backup
C:\WINNT\errorhandler.exe -> Downloader.VB.nw : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Local Settings\Temporary Internet Files\Content.IE5\8PHX628K\!update-3595[1].0000 -> Downloader.PurityScan.bw : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Local Settings\Temporary Internet Files\Content.IE5\ST6VK1UJ\AppWrap[1].exe -> Adware.Zestyfind : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Local Settings\Temporary Internet Files\Content.IE5\ST6VK1UJ\keyboard9[1].exe -> Downloader.VB.aaf : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@www.casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Christopher Katahira\Cookies\katahic@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
::Report End
-----------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:32:34 AM, on 4/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\windows\mousepad9.exe
C:\WINNT\sys02113884113.exe
C:\WINNT\win3207411311388.exe
C:\WINNT\sys09131138841.exe
C:\PROGRA~1\STEM~1\wuauboot.exe
C:\Program Files\?icrosoft.NET\chkntfs.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\Program Files\HiJack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r1.attbi.com
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Search - {A36C5646-85E9-161F-FF50-9E430444F721} - C:\WINNT\Fekqxqoi.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [sys02113884113] C:\WINNT\sys02113884113.exe
O4 - HKLM\..\Run: [w816baeb.dll] RUNDLL32.EXE w816baeb.dll,I2 0000ae7f0816baeb
O4 - HKLM\..\Run: [expload.exe] C:\WINNT\system32\expload.exe
O4 - HKLM\..\Run: [ms04388411311] C:\WINNT\ms04388411311.exe
O4 - HKLM\..\Run: [win3207411311388] C:\WINNT\win3207411311388.exe
O4 - HKLM\..\Run: [w170fdec.dll] RUNDLL32.EXE w170fdec.dll,I2 0000ae7f0170fdec
O4 - HKLM\..\Run: [w00bca7b.dll] RUNDLL32.EXE w00bca7b.dll,I2 0000ae7f000bca7b
O4 - HKLM\..\Run: [w00357a4.dll] RUNDLL32.EXE w00357a4.dll,I2 0000ae7f000357a4
O4 - HKLM\..\Run: [w0024e07.dll] RUNDLL32.EXE w0024e07.dll,I2 0000ae7f00024e07
O4 - HKLM\..\Run: [w010d0fa.dll] RUNDLL32.EXE w010d0fa.dll,I2 0000ae7f0010d0fa
O4 - HKLM\..\Run: [w002a7d8.dll] RUNDLL32.EXE w002a7d8.dll,I2 0000ae7f0002a7d8
O4 - HKLM\..\Run: [w006d1fc.dll] RUNDLL32.EXE w006d1fc.dll,I2 0000ae7f0006d1fc
O4 - HKLM\..\Run: [w002502d.dll] RUNDLL32.EXE w002502d.dll,I2 0000ae7f0002502d
O4 - HKLM\..\Run: [w0023576.dll] RUNDLL32.EXE w0023576.dll,I2 0000ae7f00023576
O4 - HKLM\..\Run: [w004e8a6.dll] RUNDLL32.EXE w004e8a6.dll,I2 0000ae7f0004e8a6
O4 - HKLM\..\Run: [w00244f3.dll] RUNDLL32.EXE w00244f3.dll,I2 0000ae7f000244f3
O4 - HKLM\..\Run: [w001836e.dll] RUNDLL32.EXE w001836e.dll,I2 0000ae7f0001836e
O4 - HKLM\..\Run: [w037e96e.dll] RUNDLL32.EXE w037e96e.dll,I2 0000ae7f0037e96e
O4 - HKLM\..\Run: [w00144e1.dll] RUNDLL32.EXE w00144e1.dll,I2 0000ae7f000144e1
O4 - HKLM\..\Run: [w002494b.dll] RUNDLL32.EXE w002494b.dll,I2 0000ae7f0002494b
O4 - HKLM\..\Run: [w00b7995.dll] RUNDLL32.EXE w00b7995.dll,I2 0000ae7f000b7995
O4 - HKLM\..\Run: [w003718a.dll] RUNDLL32.EXE w003718a.dll,I2 0000ae7f0003718a
O4 - HKLM\..\Run: [w002cb67.dll] RUNDLL32.EXE w002cb67.dll,I2 0000ae7f0002cb67
O4 - HKLM\..\Run: [sys09131138841] C:\WINNT\sys09131138841.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Brct] "C:\PROGRA~1\STEM~1\wuauboot.exe" -vt ndrv
O4 - HKCU\..\Run: [Xdque] C:\Program Files\?icrosoft.NET\chkntfs.exe
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.17.23/06edaa62e650d23c7023/netzip/RdxIE.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seattleu.edu
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINNT\system32\OUGHYA~1.DLL
O23 - Service: AllWirelessLansService - Unknown owner - C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LanSupportService - Unknown owner - C:\Program Files\Common Files\3Com\LanSupportService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\system32\ZipToA.exe
Well, thats starting to look better now ;)
Go ahead and remove Ewido, delcmdservice aswell as Look2Me-Destroyer.
==
RIGHT-CLICK HERE (http://downloads.subratam.org/Lon/qooFix.bat) and choose "Save As" (in IE it's "Save Target As") in order to download QooFix.bat by LonnyRJones.
Save it in the same folder you made earlier (c:\BFU).
Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat.
Choose option 1# (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
==
Then continue with the following:
Please download WinPFind (http://www.bleepingcomputer.com/files/winpfind.php):
Right-click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet.
==
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
==
Once in Safe Mode, run a scan with HijackThis and check the following objects for removal IF PRESENT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: Search - {A36C5646-85E9-161F-FF50-9E430444F721} - C:\WINNT\Fekqxqoi.dll (file missing)
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad9.exe
O4 - HKLM\..\Run: [sys02113884113] C:\WINNT\sys02113884113.exe
O4 - HKLM\..\Run: [w816baeb.dll] RUNDLL32.EXE w816baeb.dll,I2 0000ae7f0816baeb
O4 - HKLM\..\Run: [expload.exe] C:\WINNT\system32\expload.exe
O4 - HKLM\..\Run: [ms04388411311] C:\WINNT\ms04388411311.exe
O4 - HKLM\..\Run: [win3207411311388] C:\WINNT\win3207411311388.exe
O4 - HKLM\..\Run: [w170fdec.dll] RUNDLL32.EXE w170fdec.dll,I2 0000ae7f0170fdec
O4 - HKLM\..\Run: [w00bca7b.dll] RUNDLL32.EXE w00bca7b.dll,I2 0000ae7f000bca7b
O4 - HKLM\..\Run: [w00357a4.dll] RUNDLL32.EXE w00357a4.dll,I2 0000ae7f000357a4
O4 - HKLM\..\Run: [w0024e07.dll] RUNDLL32.EXE w0024e07.dll,I2 0000ae7f00024e07
O4 - HKLM\..\Run: [w010d0fa.dll] RUNDLL32.EXE w010d0fa.dll,I2 0000ae7f0010d0fa
O4 - HKLM\..\Run: [w002a7d8.dll] RUNDLL32.EXE w002a7d8.dll,I2 0000ae7f0002a7d8
O4 - HKLM\..\Run: [w006d1fc.dll] RUNDLL32.EXE w006d1fc.dll,I2 0000ae7f0006d1fc
O4 - HKLM\..\Run: [w002502d.dll] RUNDLL32.EXE w002502d.dll,I2 0000ae7f0002502d
O4 - HKLM\..\Run: [w0023576.dll] RUNDLL32.EXE w0023576.dll,I2 0000ae7f00023576
O4 - HKLM\..\Run: [w004e8a6.dll] RUNDLL32.EXE w004e8a6.dll,I2 0000ae7f0004e8a6
O4 - HKLM\..\Run: [w00244f3.dll] RUNDLL32.EXE w00244f3.dll,I2 0000ae7f000244f3
O4 - HKLM\..\Run: [w001836e.dll] RUNDLL32.EXE w001836e.dll,I2 0000ae7f0001836e
O4 - HKLM\..\Run: [w037e96e.dll] RUNDLL32.EXE w037e96e.dll,I2 0000ae7f0037e96e
O4 - HKLM\..\Run: [w00144e1.dll] RUNDLL32.EXE w00144e1.dll,I2 0000ae7f000144e1
O4 - HKLM\..\Run: [w002494b.dll] RUNDLL32.EXE w002494b.dll,I2 0000ae7f0002494b
O4 - HKLM\..\Run: [w00b7995.dll] RUNDLL32.EXE w00b7995.dll,I2 0000ae7f000b7995
O4 - HKLM\..\Run: [w003718a.dll] RUNDLL32.EXE w003718a.dll,I2 0000ae7f0003718a
O4 - HKLM\..\Run: [w002cb67.dll] RUNDLL32.EXE w002cb67.dll,I2 0000ae7f0002cb67
O4 - HKLM\..\Run: [sys09131138841] C:\WINNT\sys09131138841.exe
O4 - HKCU\..\Run: "C:\PROGRA~1\STEM~1\wuauboot.exe" -vt ndrv
O4 - HKCU\..\Run: [Xdque] C:\Program Files\?icrosoft.NET\chkntfs.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll (file missing)
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.17.23/06edaa62e650d23...tzip/RdxIE.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINNT\system32\OUGHYA~1.DLL
Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.
==
Double-click WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete:
Go to the [b]WinPFind folder
Locate WinPFind.txt
Place those results in the next post.
==
Reboot normally and post back with the contents of WinPFind.txt log aswell as a fresh HijackThis log. :bigthumb:
The thread would not let me post the two logs in one post, so here is the WinPFix.txt log, and the fresh HJT log is in the following post. Thanks!
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2800.1106
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PECompact2 3/9/2006 4:10:36 PM 4799320 C:\WINNT\SYSTEM32\MRT.exe
aspack 3/9/2006 4:10:36 PM 4799320 C:\WINNT\SYSTEM32\MRT.exe
winsync 7/26/2000 7:00:00 AM 1309184 C:\WINNT\SYSTEM32\WBDBASE.DEU
Umonitor 1/12/2005 12:39:46 PM 531216 C:\WINNT\SYSTEM32\RASDLG.DLL
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINNT\SYSTEM32\drivers\ETC\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
4/11/2006 8:12:20 PM H 1280360 C:\WINNT\ShellIconCache
4/10/2006 7:19:12 PM H 54156 C:\WINNT\QTFont.qfn
4/11/2006 8:31:08 PM H 1024 C:\WINNT\SYSTEM32\CONFIG\SOFTWARE.LOG
4/11/2006 8:12:34 PM H 1024 C:\WINNT\SYSTEM32\CONFIG\DEFAULT.LOG
4/11/2006 8:13:32 PM H 1024 C:\WINNT\SYSTEM32\CONFIG\SECURITY.LOG
4/11/2006 8:15:42 PM H 1024 C:\WINNT\SYSTEM32\CONFIG\SAM.LOG
4/9/2006 8:54:20 PM H 10820 C:\WINNT\HELP\windows.GID
4/11/2006 8:12:28 PM H 6 C:\WINNT\TASKS\SA.DAT
4/11/2006 8:12:28 PM S 64 C:\WINNT\CSC\00000001
4/1/2006 12:13:06 PM S 64 C:\WINNT\CSC\csc1.tmp
4/9/2006 9:04:36 PM S 64 C:\WINNT\CSC\00000002
4/11/2006 7:58:14 PM H 2367240 C:\WINNT\SoftwareDistribution\Download\S-1-5-18\cc7c81035e25850c05e1edb4d9075592\BIT42.tmp
4/11/2006 7:58:00 PM H 0 C:\WINNT\SoftwareDistribution\Download\S-1-5-18\0d40b7b519a5ba97d7bcd356fed41771\BIT43.tmp
4/11/2006 7:58:00 PM H 0 C:\WINNT\SoftwareDistribution\Download\S-1-5-18\c705c2642665d9006c16093e04e37e04\BIT44.tmp
4/11/2006 7:58:00 PM H 0 C:\WINNT\SoftwareDistribution\Download\S-1-5-18\6791bd9b942520de35c2c3ea85a112c1\BIT45.tmp
4/11/2006 7:58:02 PM H 0 C:\WINNT\SoftwareDistribution\Download\S-1-5-18\e4b50686a7947a21fa85386de2c9ec15\BIT46.tmp
Checking for CPL files...
Microsoft Corporation 6/19/2003 12:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 31504 C:\WINNT\SYSTEM32\fax.cpl
Microsoft Corporation 5/1/2002 6:51:36 PM 75264 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 128272 C:\WINNT\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 118032 C:\WINNT\SYSTEM32\INTL.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 36112 C:\WINNT\SYSTEM32\IRPROPS.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 122128 C:\WINNT\SYSTEM32\MAIN.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 303888 C:\WINNT\SYSTEM32\MMSYS.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 17168 C:\WINNT\SYSTEM32\NCPA.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 41232 C:\WINNT\SYSTEM32\NWC.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 5904 C:\WINNT\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 7/26/2000 7:00:00 AM 61200 C:\WINNT\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 7/26/2000 7:00:00 AM 67344 C:\WINNT\SYSTEM32\ACCESS.CPL
Intel Corporation 11/20/2000 5:12:00 PM 720896 C:\WINNT\SYSTEM32\prosetp.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl
Microsoft Corporation 8/29/2002 7:14:40 AM 292352 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 1/12/2005 12:40:00 PM 64784 C:\WINNT\SYSTEM32\dllcache\msmq.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
4/2/2006 7:35:18 PM 1279 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\3Com Launcher.lnk
4/2/2006 7:35:18 PM 1478 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/2/2006 7:35:16 PM 1310 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton AntiVirus AutoProtect.lnk
4/2/2006 7:35:16 PM 1572 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Resolution Assistant.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/25/2005 1:00:48 PM 1755 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
Checking files in %USERPROFILE%\Startup folder...
Checking files in %USERPROFILE%\Application Data folder...
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\CiteLink
{80230FFC-53DD-11D2-AE5F-0000832F3A64} = C:\Program Files\West Group\CiteLink\clie\clie.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NavNT
{067DF822-EAB6-11cf-B56E-00A0244D5087} = C:\Program Files\Navnt\navshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\CiteLink
{80230FFC-53DD-11D2-AE5F-0000832F3A64} = C:\Program Files\West Group\CiteLink\clie\clie.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NavNT
{067DF822-EAB6-11cf-B56E-00A0244D5087} = C:\Program Files\Navnt\navshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINNT\system32\msdxm.ocx
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} = Easy-WebPrint : C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
AtiPTA Atiptaxx.exe
Promon.exe Promon.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
RxUser C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
DadApp C:\Program Files\DELL\AccessDirect\dadapp.exe
madexe C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
NPS Event Checker C:\PROGRA~1\Navnt\npscheck.exe
RoxioEngineUtility "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
projselector "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
RoxioDragToDisc "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
RoxioAudioCentral "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
New.net Startup rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
MaxGPOScriptWait 180
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\Userinit.exe,
Shell = Explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 4/11/2006 8:38:15 PM
Logfile of HijackThis v1.99.1
Scan saved at 8:55:58 PM, on 4/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\STEM~1\wuauboot.exe
C:\Program Files\?icrosoft.NET\chkntfs.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\Program Files\HiJack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r1.attbi.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Brct] "C:\PROGRA~1\STEM~1\wuauboot.exe" -vt ndrv
O4 - HKCU\..\Run: [Xdque] C:\Program Files\?icrosoft.NET\chkntfs.exe
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seattleu.edu
O23 - Service: AllWirelessLansService - Unknown owner - C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LanSupportService - Unknown owner - C:\Program Files\Common Files\3Com\LanSupportService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\system32\ZipToA.exe
I noticed that I missed two items that should have been fixed after scanning with Hijack This:
O4 - HKCU\..\Run: [Brct] "C:\PROGRA~1\STEM~1\wuauboot.exe" -vt ndrv
O4 - HKCU\..\Run: [Xdque] C:\Program Files\?icrosoft.NET\chkntfs.exe
Could you please advise on how to handle this. Thanks!
Hi; I need to go to school soon, I'll post back with further instructions later today. Thanks for the logs :)
Not a problem. I'll look forward to your instructions later today. Thanks again!
Hi again :)
==
Through Control Panel -> Add/Remove programs, uninstall the following entry/entries IF present:
New.Net Applications or New.Net Domains (anything that says New.Net)
If it is not there, go here and follow Procedure 4; NewDotNet Removal Procedure 4 (http://www.newdotnet.com/removal.html).
==
Next,
Please run a scan with HijackThis and check the following objects for removal if present:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O4 - HKCU\..\Run: "C:\PROGRA~1\STEM~1\wuauboot.exe" -vt ndrv
O4 - HKCU\..\Run: [Xdque] C:\Program Files\?icrosoft.NET\chkntfs.exe
Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.
==
Navigate to, and delete the following folder/file if present:
C:\PROGRA~1\STEM~1\wuauboot.exe
C:\Program Files\?icrosoft.NET
==
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only.
Double-click [b]ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
==
Finally:
Please go HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report. :bigthumb:
I followed the most recent instructions. First, I wasn't able to locate "C:\PROGRA~1\STEM~1\wuauboot.exe." Second, when I was running Panda's ActiveScan, after I clicked on "My Computer" it scanned 9 files and then it just stopped. It said it was still scanning, but I restarted the ActiveScan instructions several times and it always got to the point where it said it was scanning and stopped on 9 files scanned and nothing else seemed to happen. I suppose I will try again later, unless you can offer any other suggestions. Thanks.
Lets try this instead :)
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/service?chapter=161739400)
Next Click on Launch Kaspersky Anti-Virus Web Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This program will start to scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, April 13, 2006 21:55:55
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 14/04/2006
Kaspersky Anti-Virus database records: 176699
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 54672
Number of viruses found: 7
Number of infected objects: 14
Number of suspicious objects: 2
Duration of the scan process: 3299 sec
Infected Object Name - Virus Name
C:\WINNT\pf78.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw
C:\WINNT\pf78.exe/data0003 Infected: Trojan.Win32.VB.tg
C:\WINNT\pf78.exe/data0006 Infected: Trojan.Win32.VB.tg
C:\WINNT\pf78.exe/data0007 Infected: Trojan.Win32.VB.tg
C:\WINNT\pf78.exe Infected: Trojan.Win32.VB.tg
C:\WINNT\pf78bb.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\WINNT\pf78bb.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\windows\mousepad9.exe Infected: Trojan-Clicker.Win32.VB.mo
C:\sk02.exe/data0002 Infected: Trojan-Clicker.Win32.Small.jf
C:\sk02.exe Infected: Trojan-Clicker.Win32.Small.jf
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy23.zip/adv.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy23.zip Suspicious: Password-protected-EXE
C:\Program Files\ѕуstem\wuauboot.exe Infected: Trojan-Downloader.Win32.PurityScan.bj
C:\Veracruz.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk
C:\Veracruz.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk
C:\Veracruz.exe Infected: Trojan-Dropper.Win32.VB.kk
Scan process completed.
Ok.. Lets continue. :)
Go ahead and delete/uninstall all the programs/files we've used this far in the cleaning process (except for HijackThis).
==
First, launch your SpyBot S&D. Go to the "Recovery" -tab, and delete the entries from Recovery.
==
Next:
Please download the Killbox by Option^Explicit (http://www.downloads.subratam.org/KillBox.zip).
Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINNT\pf78.exe
C:\WINNT\pf78bb.exe
C:\windows\mousepad9.exe
C:\sk02.exe
C:\Program Files\ѕуstem\wuauboot.exe
C:\Veracruz.exe
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try Killbox again.
==
Post back with one more HijackThis log. :bigthumb:
Here is a fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 3:24:51 PM, on 4/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\Promon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Navnt\navapw32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\3Com\LanSupportService.exe
C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
C:\PROGRA~1\3Com\WLANMA~1\Activate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://education.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *r1.attbi.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RxUser] C:\Program Files\Dell\Resolution Assistant\common\bin\RxUser.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seattleu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seattleu.edu
O23 - Service: AllWirelessLansService - Unknown owner - C:\Program Files\3Com\WLAN Manager\AllWirelessLansService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LanSupportService - Unknown owner - C:\Program Files\Common Files\3Com\LanSupportService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Service Request Monitor - Dell Computer Corporation - C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\system32\ZipToA.exe
How's the system running at the moment?
Everything seems to be running fine again. No more pop-ups, error msgs on reboot, etc. So unless you see anything else in the log that should be cleared up, I think we're back to normal! I can't thank you enough!
You're more than welcome :bigthumb:
==
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Here's some tips for future to prevent spyware;
Detect and Remove Programs:
How to use Ad-Aware to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=48) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware (http://www.bleepingcomputer.com/forums/?showtutorial=43) <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
Spywareblaster (http://www.javacoolsoftware.com/spywareblaster.html) <= SpywareBlaster will prevent spyware from being installed. (My favourite)
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG (http://www.grisoft.com/) or Anti-Vir (http://www.free-av.com/), or a shareware version like Norton or Kaspersky, this is a must have.
Firewall <= A firewall (http://www.google.com/search?hl=en&lr=&q=define%3Afirewall&btnG=Search) is definatley a must have. Two good free versions are Sygate (http://www.sygate.com/) and ZoneLabs (http://www.zonelabs.com/store/content/home.jsp).
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox (http://www.mozilla.com/).And also see TonyKlein's good advice;
So how did I get infected in the first place? (http://castlecops.com/postlite7736-.html) (My favourite)
As the problem appears to be resolved this topic will be archived. :)
If you need it re-opened please send me a pm and provide a link to the thread.
Thank you Rawe.