Is my pc still infected ? I posted hijackthis log , thx (RESOLVED)

jdc · #1 (**permalink**) 28-07-2006, 04:08 AM

Hi everyone !
I have been experiencing problems for about a month now . It first started when my antivirus program detected 4 viruses that had infected my computer , but the virus program just alerted me about the viruses , but did not delete them . My computer then started to run very slow and when I would click on a website from my favorites list , I would get directed to a totally different website .
I then got rid of my current virus program and purchased Norton Antivirus , but it slowed my pc down way too much . I then purchased webroot spysweeper , downloaded AVG, SPYBOT , AD-AWARE , and they all seemed to catch and fix some viruses , and now when I scan with all these programs nothing is found . Right now when I click on a website I am not redirected to another website anymore , but my pc is still running very slow and now a lot of About Blank pop-ups happen .
One more thing ! Maybe it is just me but when I go to msconfig option and look up the startup menu which lists all the programs that run during startup , it seems to me that there is a couple of progams were not there before ? ( maybe )
Any help would be great !! thanks

Logfile of HijackThis v1.99.1
Scan saved at 10:32:36 PM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/c...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/c...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com
R3 - URLSearchHook: (no name) - {21105363-8432-5A0A-C31A-850B68649564} - StartCpl.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [___] ATLIEHELPER.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DTOURS] Dest068.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Trayz] NopeZ.exe
O4 - HKCU\..\Run: [KeywordFinder] defect08.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121023781766
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3894C5B6-B45D-41CC-B27E-AE567F85D0D8}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

VopThis · #2 (**permalink**) 28-07-2006, 12:49 PM

Please disable the ‘active protection’ components of the following application(s), as it/they may hinder the removal of some entries. Otherwise, certain cleaning attempts may be wrongly recognized and blocked as hijacking attempts or other potentially inappropriate behavior. You can re-enable such tools after your computer is clean.

Disable SpySweeper

Open it, Click Options over on the left, then Program options
Uncheck load at windows startup.
Over to the left, Click shields and Uncheck all there.
Uncheck home page shield.
Uncheck automatically restore default without notification.
Exit Spysweeper.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure ’Run fixit’ is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.

jdc · #3 (**permalink**) 29-07-2006, 01:44 AM

Thank you VOP THIS for such a quick response !! It is much appreciated !!
I followed your instructions as you requestd , but there is one thing I am not sure if I did properly .
In the Spysweeper options you asked me to uncheck the option that said " automatically restore default without notification " . The only option that I could find that came close to that phrase was under hijack shield settings, three items Home Page Shields , Search Page Shields , Advance Settings . Each of these items had an option box that was not checked on that said " Alert me before storing defaults " . I am not sure if this is the same thing as the option that you mentioned " Uncheck Automatically restore default without notification " , but I took a chance and checked marked all three items . I hope I was right !! ?? Thanks again !!!

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32

jdc · #4 (**permalink**) 29-07-2006, 01:47 AM

Sorry ! , here is my new Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 7

42 PM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/c...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/c...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/c.../www.yahoo.com
R3 - URLSearchHook: (no name) - {21105363-8432-5A0A-C31A-850B68649564} - StartCpl.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [___] ATLIEHELPER.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [DTOURS] Dest068.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Trayz] NopeZ.exe
O4 - HKCU\..\Run: [KeywordFinder] defect08.exe
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121023781766
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3894C5B6-B45D-41CC-B27E-AE567F85D0D8}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

VopThis · #5 (**permalink**) 29-07-2006, 05:20 AM

Sorry for the confusion on SpySweeper (SS) - there has been a recent version and interface change. Just make sure that SS does not load at startup for now (seems to be the present case) or if running, that none of the active shields are enabled.

You have one addition housekeeping issue - two (2) real-time antivirus tools running at the same time. They will likely conflict with each other and create problems on your PC. If you want to keep the 'eTrust Internet Security Suite' then you should uninstall or disable AVG.

Read over the following directions. Ask if anything appears unclear to you.

Download Clean.bat to your desktop: for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat

We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ca.red.clientapps.yahoo.com/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.red.clientapps.yahoo.com/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {21105363-8432-5A0A-C31A-850B68649564} - StartCpl.dll (file missing)

O4 - HKLM\..\Run: [___] ATLIEHELPER.exe
O4 - HKLM\..\Run: [DTOURS] Dest068.exe
O4 - HKCU\..\Run: [TRAYZ] NopeZ.exe
O4 - HKCU\..\Run: [KEYWORDFINDER] defect08.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{3894C5B6-B45D-41CC-B27E-AE567F85D0D8}: NameServer = 85.255.116.66,85.255.112.61
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.66 85.255.112.61

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Delete TEMPORARY FILES: Now, hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:

Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files

Click OK or Enter

For additional, more thorough cleaning and for multi-profile user configurations:
(*) Run Clean.bat to clean up your TEMPorary files.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

ATLIEHELPER.exe
Dest068.exe
NopeZ.exe
defect08.exe

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

jdc · #6 (**permalink**) 29-07-2006, 03:56 PM

Hi VopThis
I think I did everything as instructed , but I have a couple of questions .
I downloaded Clean.bat to my desktop , but I do not know where to go from there . I click run and this is what I get . I clicked yes and then no and nothing happens .

C:\Documents and Settings\Administrator\Desktop>del c:\*.tmp
Could Not Find c:\*.tmp

C:\Documents and Settings\Administrator\Desktop>del C:\DOCUME~1\ADMINI~1\LOCALS~
1\Temp\*.tmp /f
Could Not Find C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\*.tmp

C:\Documents and Settings\Administrator\Desktop>del C:\WINDOWS\prefetch\*.*
C:\WINDOWS\prefetch\*.*, Are you sure (Y/N)?

I also clicked strart and searched for the files Altiehelper.exe,Dest068.exe,NopeZ.exe,defect08.exe , and the search did not find any of these files .
I also went to the Recycle Bin to just see if anything was in there and it was empty . I went to the Bin options and there was an option that was turned on that said something like " automaticallly remove file ,instad of storing it in bin " . Should that option be turned on ?

Thanks again ! Here is my latest hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:26:00 AM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121023781766
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

jdc · #7 (**permalink**) 29-07-2006, 04:05 PM

Hi again !
I forgot to mention that I am not running two antivirus programs at the same time . Actually I first removed ETRUST Internet Security Suite , and then installed AVG . For some reason after I deleted ETRUST SECURITY , the etrust icon is still in the system tray , and I can not remove the icon, and when I click on iit , nothing happens .

VopThis · #8 (**permalink**) 29-07-2006, 04:33 PM

Your HijackThis LOG now appears to be clean.

Quote:

I downloaded Clean.bat to my desktop , but I do not know where to go from there

Simply answer YES to any offer to remove any files located, if found.

A better cleanup tool alternative would be:

Quote:

Clean out TEMPORARY FILES:
To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner http://www.ccleaner.com/downloadbuilds.asp

Install Options:

Don't install any Toolbars, or other programs, should it ask you!
Just uncheck the option of installing the Yahoo toolbar.

It will put a shortcut on your Desktop.

Select the ‘Cleaner’ BUTTON option (top LEFT), if not already selected. Use the ’Windows’ TAB up front by default.

Uncheck ‘Cookies’ option (advisable)
Optionally, Uncheck ‘Recently Typed URLs’ option (potentially still useful)
Click the ‘Analyse’ button.
Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.

Quote:

For some reason after I deleted ETRUST SECURITY , the etrust icon is still in the system tray , and I can not remove the icon, and when I click on iit , nothing happens.

There is one remaining HJT entry left in your LOG which should be removable:

O4 - HKLM\..\Run: [CAISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"

Also check if the C:\Program Files\CA\eTrust Internet Security Suite is still present - consider manual deletion of any remnats, where needed.

How is your PC now behaving?

Lets try one more scan for good measure:

Download and install Ewido anti-spyware 4.0 (uninstall any previous version first).

Click the Download BUTTON. On the next page click the Download now BUTTON.
Save and then install (Run) from the save location.
Open/Run ewido anti-spyware
Wait a few moments and Ewido should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:
Quote:
Click on the Update now LINK at the top of the window
Click on the Start update button

Wait for the update to download and install
This is very important to get the LATEST updates
Click on the Status ICON
- Under "Your computers Security"
  Click change status on Resident shield to inactive (ONLY consider activation of that feature once you are clean)
Click on the Scanner ICON at the top of the window
Click on the Settings tab then select Recommended Actions and choose Quarantine
When updating has finished. Close Ewido.

We will be using this tool in a later step.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

______________________________

Click on the default Status ICON and select the Scan now LINK.

OR
Click on the Scanner ICON . Select the Scan TAB.
- Select Complete System Scan. Ewido will now begin to scan your system.

If Ewido finds anything it will list them in the Preview WINDOW:
- Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
- Select Apply all actions at the bottom of the window (and the items found will be quarantined – and recoverable, if any items are needed back).
When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop where it can be easily found.
Copy and paste the EWIDO scan results into your next post.
Close Ewido and REBOOT.

VopThis · #9 (**permalink**) 29-07-2006, 04:38 PM

Quote:

I went to the Bin options and there was an option that was turned on that said something like " automaticallly remove file ,instad of storing it in bin " . Should that option be turned on ?

NO - that defeats the purpose of a recycle bin. You may need that Recycle Bin someday - because mistakes do get made.

jdc · #10 (**permalink**) 29-07-2006, 06:57 PM

Thanks again !
I downloaded ccleaner and it came up with a lot of things I was not sure of, so I was going to find out from you first if it was ok to clean them . Here is what it found.

ANALYSIS COMPLETE - (17.452 secs)
------------------------------------------------------------------------------------------
13.6MB to be removed. (Approximate size)
------------------------------------------------------------------------------------------

Details of files to be deleted (Note: No files have been deleted yet)
------------------------------------------------------------------------------------------
IE Temporary Internet Files (30 files) 0.13MB
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini 113 bytes
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012006072920060 730\index.dat 48.00KB
Marked for deletion: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Marked for deletion: C:\Documents and Settings\Administrator\Cookies\index.dat
Marked for deletion: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DM5QYGE3.htm 0.23MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\H6KHMJP0.htm 0.23MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMTF6F.xml 1.95KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMT4D7.xml 1.95KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMT4D8.xml 426 bytes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMT4D9.xml 0.67MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMT517.xml 1.95KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMT518.xml 426 bytes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMT519.xml 0.67MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMT51C.xml 1.95KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMT51D.xml 426 bytes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMT51E.xml 0.67MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMTF70.xml 426 bytes
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IMTF71.xml 0.67MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1YU3DYMC.htm 0.23MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4BB23Q91.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QAZJ7LE8.htm 12.00KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CAMQY1PH.htm 33.95KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\3V1CWJZU.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\P0ZOYPP5.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\PLX2FRQ1.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\XYDA0NGT.htm 9.63KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DEUBU9NG.emf 82.63KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0LTWF28J.htm 12.22KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7VDI0VIE.htm 34.33KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5WDBP21Z.htm 9.63KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HLB4MFPG.emf 82.63KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\V4R3EXAY.htm 12.22KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\C3P1VYPM.htm 34.33KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CY9EVIFU.htm 34.33KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QKRNR599.htm 9.63KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SLTQH585.emf 82.63KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BFPP3OWX.htm 12.22KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QRYY6FAF.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\M3SODRT8.htm 0.15MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0W2MLN0A.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\SCO7ODEV.htm 22.36KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\890QEBLN.htm 9.63KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\34QPNXA2.emf 82.63KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Z7OR8A3Y.htm 12.22KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4RWDSLYE.htm 34.33KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\A7RXFTDA.htm 12.28KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WDSVFDVN.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CUP6DFIR.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AAJ572RQ.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KOG5QWXL.htm 12.28KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JUQY6ZIA.htm 12.28KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HV7GXDOZ.htm 0.23MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\KWS0K17B.htm 22.36KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AUVHEJRC.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5WVL04J0.htm 22.36KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\W0GVVAW4.htm 12.25KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5P1ZE20A.htm 34.33KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\7MQOHOP6.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\UHLQPSHJ.htm 12.27KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\V4NC56X6.htm 34.33KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\9067IVWX.htm 12.27KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EPT11CAK.htm 12.27KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\I7U70I7R.htm 34.33KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\65PGUW0V.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\GE5FDC33.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\82YU1PRD.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\YM47IZUX.htm 12.05KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0IY8ZIBD.htm 34.33KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\B4K6P06G.htm 35.69KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\REAT1VY9.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\P7BHT43P.htm 12.05KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CR2YRHEQ.htm 35.69KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\08115BEE.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\6RQMQFCO.htm 12.05KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\JQL8VATP.htm 35.69KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QHWVXF6R.htm 0.16MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\YEO78694.htm 12.05KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\QZFHW9SW.htm 35.69KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\O7RRRQ69.htm 12.00KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\N0QALF4B.htm 33.95KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\12S9RCFM.htm 12.05KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\S8B2O3UO.htm 35.69KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FK8JDL5V.htm 12.05KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\U61VY2AL.htm 35.69KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\CHU1DBKR.htm 12.00KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AK1CDEWS.htm 33.95KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\O0FWQC7I.htm 0.23MB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VQ0IHCHF.htm 12.00KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BG3E7AFR.htm 33.95KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\M6PW7JMD.htm 12.00KB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\78GT65OB.htm 33.95KB
C:\WINDOWS\system32\wbem\Logs\wbemess.log 26.83KB
C:\WINDOWS\system32\wbem\Logs\wmiprov.log 737 bytes
C:\WINDOWS\system32\wbem\Logs\FrameWork.log 260 bytes
C:\WINDOWS\0.log 0 bytes
C:\WINDOWS\KB916595.log 22.31KB
C:\WINDOWS\ocgen.log 11.28KB
C:\WINDOWS\FaxSetup.log 13.26KB
C:\WINDOWS\iis6.log 13.14KB
C:\WINDOWS\setupact.log 180 bytes
C:\WINDOWS\setuperr.log 0 bytes
C:\WINDOWS\comsetup.log 4.88KB
C:\WINDOWS\tsoc.log 8.97KB
C:\WINDOWS\msmqinst.log 3.68KB
C:\WINDOWS\ntdtcsetup.log 3.53KB
C:\WINDOWS\msgsocm.log 958 bytes
C:\WINDOWS\tabletoc.log 622 bytes
C:\WINDOWS\MedCtrOC.log 1.40KB
C:\WINDOWS\netfxocm.log 3.11KB
C:\WINDOWS\ocmsn.log 938 bytes
C:\WINDOWS\imsins.log 1.87KB
C:\WINDOWS\Sti_Trace.log 0 bytes
C:\WINDOWS\wiaservc.log 49 bytes
C:\WINDOWS\wiadebug.log 216 bytes
C:\WINDOWS\setupapi.log 13.22KB
C:\WINDOWS\imsins.BAK 1.87KB
C:\WINDOWS\ntbtlog.txt 0.39MB
C:\WINDOWS\Debug\UserMode\userenv.log 69.83KB
C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sett ings.sol 348 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs\Update downloads.log 106 bytes
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Statistics.ini 0 bytes
C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref.old 0.69MB
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2006-07-24 17-37-18.txt 8.19KB
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2006-07-24 18-10-11.txt 13.43KB
C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Logs\Ad-Aware log2006-07-24 20-11-57.txt 20.42KB
C:\Documents and Settings\All Users\Application Data\Raxco\PerfectDisk\7.0\PerfectDisk.log 3.36KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\Avg7.log 5.29KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\history.log 1.77KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\avginet.log 21.64KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\avg7info.id 26 bytes
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\avginfo.ctf 2.51KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\download.nfo 397 bytes
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7avi779u716v.bin 0.37MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi403a.bin 3.29MB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7avi781u77583.bin 63.69KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi405u40383.bin 3.63KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi410u405r7.bin 40.53KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi411u410ti.bin 4.89KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7avi782u77519.bin 84.84KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin\u7iavi412u41119.bin 5.09KB
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7upd\update7.log 0.18MB
------------------------------------------------------------------------------------------

I also ran EWIDO and another hijackthis log , here are there results

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:29:16 PM 7/29/2006

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@247re almedia[2].txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@amazo nsearsca.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@triba lfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 1:43:01 PM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1121023781766
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...00/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe