Need a little help please. This is my first time here. Having multiple popup ads every 20 to 30 seconds. Have run SpyBot in Safe Mode with no help. Have run a HJT log. Please advise.
Ken :scratch:

Operating System Windows 2000
IE version 6.028

Logfile of HijackThis v1.99.1
Scan saved at 12:08:23 PM, on 4/26/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\RUNDLL32.EXE
c:\winnt\system32\dwdsregt.exe
C:\Program Files\Symantec AntiVirus\VPC32.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\henpo.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,ryttyhv.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [{C1-13-30-00-ZN}] c:\winnt\system32\dwdsregt.exe GID002
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\qtwloc.exe reg_run
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\pmdsregs.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\rwinnqag.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - https://www.sentryspecialtyagents.com/agents/16161/applets/SiebelOptionPack.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4744/mcfscan.cab
O20 - Winlogon Notify: Controls Folder - C:\WINNT\system32\gp8ml3l11.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Hello and welcome to the forum. You have a good mess here, several nasty infections including Look2me and Qoologic plus a bunch of other junk. If you still need help, I will require you to follow the directions carefully and exactly if you want to be successful. We will start with the Look2me infection:

First do this: HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

Thanks to Atribune and any others who helped with this fix

Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.


If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Post the C:\Look2Me-Destroyer.txt and a new HiJackThis log.
along with any comments you think will help, will will have more to do.

Thanks...pskelley
Safer Networking Forums

I will try this as soon as I get to work. The problem is with my office computer. By the way, someone claiming to be Jared emailed me, asking me to locate a file on my computer and email it back to him. Sounds like a scam to me. :confused: Is that normal?
J

Jared...sounds fishy to me:scratch: Anyone needing a file would have worked through me. We would not use email, see if there is anyway we can identify this individual, email address, anything else. Send it in a private message to me and I will have it investigated.

Thanks...Phil

http://forums.spybot.info/private.php?do=newpm&u=233

HJT log file:
Logfile of HijackThis v1.99.1
Scan saved at 8:11:49 AM, on 4/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\pmdsregs.exe
C:\WINNT\system32\rwinnqag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\henpo.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,ryttyhv.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [{C1-13-30-00-ZN}] C:\WINNT\system32\pmdsregs.exe GID002
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\qtwloc.exe reg_run
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\rwinnqag.exe GID002
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\pmdsregs.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\rwinnqag.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - https://www.sentryspecialtyagents.com/agents/16161/applets/SiebelOptionPack.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4744/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Hello and thanks for the new HJT log. Looks like the Destroyer was successful but I also need to see the:

Post the C:\Look2Me-Destroyer.txt and a new HiJackThis log.
along with any comments you think will help, will will have more to do.
Please post that as soon as you can. This next phase is to remove the Qoologic trojan. You need to read and follow the directions, it will fail otherwise.

Download Brute Force Uninstaller to your C:\
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat (rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
The tool will ask to restart your Pc.
After the PC has restarted please post another hijackthis log. We will have more to do.

Thanks...Phil

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/27/2006 7:54:04 AM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 8:56:19 AM, on 4/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\pmdsregs.exe
C:\WINNT\system32\rwinnqag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINNT\system32\henpo.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,ryttyhv.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [{C1-13-30-00-ZN}] C:\WINNT\system32\pmdsregs.exe GID002
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\qtwloc.exe reg_run
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\rwinnqag.exe GID002
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\pmdsregs.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\rwinnqag.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINNT\system32\dmonwv.dll
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - https://www.sentryspecialtyagents.com/agents/16161/applets/SiebelOptionPack.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4744/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks:bigthumb:

:scratch: Having trouble placing qooFix.bat in the C:\BFU folder because it is an executable file. Guess I need to back up and regroup?
Thanks
Ken

Detailed instructions by miekiemoes

Ok, let me explain every step again, but very detailed how to unzip properly and move that qoofix.bat in that folder.

* Rightclick on next link and choose save as: Brute Force Uninstaller
A new window will open.
You'll see below in the filename-path: bfu.zip
Now edit that filename path to: C:\bfu.zip
Then click save.
Close the windows now.
Then click My computer.
Then click C:\
You should find bfu.zip there.
Now rightclick bfu.zip
Select 'extract all'
A wizard will open.
Click next.
You'll see it will say in the filepath C:\bfu
Click next and click finish.
If you now look on your C:\, you'll find C:\bfu.zip and C:\bfu
Now rightclick on this link: qoofix.bat
Choose save as.
In the filepath, you'll see qoofix.bat
Now change that to C:\bfu\qoofix.bat and choose save.
This will place the qoofix.bat in the C:\bfu folder.
Then go to the BFU folder and doubleclick qoofix.bat.
This should start the fix.
It will also ask to reboot. After reboot, post a new hijackthislog in your next reply

Here is the results of the HJT log after running qoofix.bat. Also might note that my monitor started flickering after running it:

Logfile of HijackThis v1.99.1
Scan saved at 12:13:43 PM, on 4/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Smtray.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\system32\pmdsregs.exe
C:\WINNT\system32\rwinnqag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [{C1-13-30-00-ZN}] C:\WINNT\system32\pmdsregs.exe GID002
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\rwinnqag.exe GID002
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\pmdsregs.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\rwinnqag.exe
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - https://www.sentryspecialtyagents.com/agents/16161/applets/SiebelOptionPack.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4744/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

OK Ken, looks like you removed the trojan Qoologic:bigthumb: Just a bit more to do, please follow the directions in the posted order. Because you had some really nasty junk. I wish to clean well.

Second request:
1)First do this: HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

2) These two items do not identify and as such, if Google does not know them, they are probably trojans and more than likely bad. If you wish to have a look before we remove them, use the tools below and share the information with me.
C:\WINNT\system32\pmdsregs.exe
C:\WINNT\system32\rwinnqag.exe and the free online scanners:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

3) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [{C1-13-30-00-ZN}] C:\WINNT\system32\pmdsregs.exe GID002
O4 - HKLM\..\Run: C:\WINNT\system32\rwinnqag.exe GID002
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\pmdsregs.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\rwinnqag.exe
O16 - DPF: {8E4D45F6-244E-499A-9E93-1E7510A975FB} (Siebel Option Pack for IE 7.5.3) - https://www.sentryspecialtyagents.co...OptionPack.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...44/mcfscan.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Enable hidden files&folders for your operating system...reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

([B]these may be be C:\Windows\System32\ ?)

C:\WINNT\system32\pmdsregs.exe >>> file

C:\WINNT\system32\rwinnqag.exe >>> file

6) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and your comments. We should be close to finishing if all goes well.

Thanks...Phil

The Ewido scan:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:30:23 PM, 4/27/2006
+ Report-Checksum: DBCA441E

+ Scan result:

C:\visfx500.exe -> Dropper.Agent.aie : Ignored
C:\WINNT\ts.exe -> Downloader.TSUpdate.o : Ignored
C:\WINNT\ieunst.exe -> Adware.IEPlug : Ignored
[1360] C:\WINNT\system32\rwinnqag.exe -> Adware.ZenoSearch : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\WINNT\system32\rwinnqag.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINNT\system32\pmdsregs.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINNT\zigi.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINNT\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[3].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[4].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@e-2dj6wfkowgdjolo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@sales.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@web-stat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.specificclick[3].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned with backup
:mozilla.262:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.275:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.276:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.279:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.284:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
:mozilla.292:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.293:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup
:mozilla.294:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.295:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.317:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.318:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
:mozilla.326:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
:mozilla.333:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.334:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.335:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.336:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.337:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.358:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.372:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.373:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.374:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.375:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.382:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.383:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.384:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.385:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.386:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.387:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.388:C:\Documents and Settings\Administrator\Application

Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.389:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup
:mozilla.390:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.391:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.403:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Web-stat : Cleaned with backup
:mozilla.422:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.489:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.490:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.491:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.492:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.493:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.494:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.495:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.496:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.498:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.499:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.500:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.501:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.502:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.503:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.504:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.505:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.509:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.510:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.511:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.512:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup
:mozilla.513:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.523:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.524:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.525:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.526:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.527:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.528:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.529:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.530:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.531:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.532:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.533:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.534:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.535:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.536:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned with backup
:mozilla.556:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1ryfed6e.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup


::Report End

HJT Report next

Logfile of HijackThis v1.99.1
Scan saved at 5:34:59 PM, on 4/27/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4744/mcfscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: W2K PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks,
Ken

Hello Ken, let's start with the ewido scan. You started by ignoring three items, and they must go. You can run ewido again until they are deleted and stop the scan, or you can remove them manually. You may have to do that in safe mode. Here are the items:

C:\visfx500.exe -> Dropper.Agent.aie : Ignored
C:\WINNT\ts.exe -> Downloader.TSUpdate.o : Ignored
C:\WINNT\ieunst.exe -> Adware.IEPlug : Ignored
Delete the files highlited in red.

You are also allowing a load of junk and spyware cookies on your computer. If you wish to control this, the information in these links will show you how:
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html

Your HJT log is clean of malware, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing...Phil:)

tashi will be along to close you shortly

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

You have been a great help. Thanks for all the advice. :bigthumb: Let me know who your Boss is...........I'll hit him up for you to get a BIG RAISE!!!
:bighug:

As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.

Glad we could help. :greeting: