HIJACK THIS LOG FILE - PLEASE HELP!!

Question

Logfile of HijackThis v1.99.1
Scan saved at 8:01:36 PM, on 1/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\windowsautomaticupdates.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_link
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mathxl.com
O15 - Trusted Zone: http://*.pearsoncmg.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://qcmail.qc.cuny.edu/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122787608812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128171706203
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://winkflash.com/photo/loaders/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe (file missing)
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Windows Automatic Updates - Stanford University - C:\WINDOWS\system32\windowsautomaticupdates.exe

My puter has slowed down dramatically over the last month or so. AVG and Panda virus scans have gotten rid of 8 viruses successfully (or so they say). The Panda log file follows this.

bamajim · Answer

evisha

Welcome to DCF

1. Copy and paste the following into NotePad (Not Wordpad)

sc stop "Netbios Helper Service"
sc delete "Netbios Helper Service"
sc stop NETDDEC
sc delete NETDDEC

Click File ->> Save as ->>type in cmd.bat

Under "Save as type" Select " all files" ->>Save it to your Desktop
Close Notepad
The cmd.bat file should now appear on your Desktop
Double Click that file (It will appear that nothing has happened, but that's o.k.)

2. Go here and Download AVG Anti-Spyware
( 30 day free trial version) Save it to Your Desktop

Double Click AVG Anti-Spyware-setup
(It will create its own folder)
Once the program starts You will be at the Status menu

Under "Your computers Security"
Click change status on Resident shield to inactive
Click Update now (next to last update)
After the update loads
Under Automatic updates Uncheck download and install updates automatically(recommended)
(you can always select maual updates the next day)

At the top toolbar Click Scanner Then the settings tab

Under How to act? Set default action for detected malwareTo Quarantine
Under how to scan All boxes should be checked
Under Possibly unwanted software All boxes should be checked
Under reports Select Automatically generate report after every scan
Uncheck Only if threats were found
Under what to scan Scan every file should be highlited

Exit AVG (But do not run it yet)

Reboot into Safe Mode
This can be done by

Restart your PC, and after it starts, but before you see the Windows Splash screen
Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
Use your arrow keys and select Safe Mode and then Enter

Run AVG Anti-Spyware

Click scanner
Select Complete system scan

Once the scan finishes

Select Apply all actions (The items found will be quarantined)
Click save report as (Another window will open)
Save it to your desktop
(By default It will be saved in the AVG folder as)
C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Exit AVG

Reboot your PC in Normal Mode->>Re run Hijackthis and post a fresh Hijackthis log.

Double click the report-scan txt. you saved to your desktop
It will open in Notepad
Copy and paste that report as a reply to this thread

Your reply should include

a fresh Hijackthis log
your report_scan.txt log from AVG

bamajim Graduate of MRU

evisha · Answer

:mozilla.36:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.40:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.254:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.255:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.32:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.33:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Falkag : No action taken.
:mozilla.100:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.50:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.51:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.114:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.135:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.136:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.205:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.93:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.95:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.96:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.97:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.224:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Linksynergy : No action taken.
:mozilla.225:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Linksynergy : No action taken.
:mozilla.45:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Linksynergy : No action taken.
:mozilla.46:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Linksynergy : No action taken.
:mozilla.184:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.187:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.251:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.252:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.257:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.258:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.259:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Evelyn\Cookies\evelyn@sales.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.46:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.47:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.75:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.76:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.98:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Myaffiliateprogram : No action taken.
C:\Documents and Settings\Evelyn\Cookies\evelyn@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
:mozilla.182:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.183:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.35:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.36:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.84:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.86:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.145:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.146:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.147:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.86:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.87:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.89:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.90:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.105:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Qksrv : No action taken.
:mozilla.138:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Qksrv : No action taken.
:mozilla.139:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Qksrv : No action taken.
:mozilla.17:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.25:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.26:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.48:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.137:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.58:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.59:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.42:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.43:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.44:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.45:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Evelyn\Cookies\evelyn@track-star[1].txt -> TrackingCookie.Track-star : No action taken.
:mozilla.146:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.197:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Valueclick : No action taken.
:mozilla.49:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.52:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Zedo : No action taken.
C:\Documents and Settings\Evelyn\Local Settings\Temp\{78b7ef07-a724-4bbb-bcf7-9712e15b11b3}\dcfssvc.exe -> Trojan.Prorat.ae : No action taken.
C:\Documents and Settings\Evelyn\Local Settings\Temp\{78b7ef07-a724-4bbb-bcf7-9712e15b11b3}\{78b7ef07-a724-4bbb-bcf7-9712e15b11b3}\Instdev.exe/dcfssvc.exe -> Trojan.Prorat.ae : No action taken.

::Report end
HIJACK THIS LOG FILE FOLLOWS. DARN THESE CHARACTER # LIMITATIONS!!!!

evisha · Answer

NEW LOG FILE AFTER AVG SCAN. THANKS SO MUCH FOR YOUR HELP!!!! - EVELYN
Logfile of HijackThis v1.99.1
Scan saved at 7:01:49 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\windowsautomaticupdates.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_link
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mathxl.com
O15 - Trusted Zone: http://*.pearsoncmg.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://qcmail.qc.cuny.edu/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122787608812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128171706203
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://winkflash.com/photo/loaders/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Windows Automatic Updates - Stanford University - C:\WINDOWS\system32\windowsautomaticupdates.exe

evisha · Answer

Thanks Jim. I did all you said. The Hijack This log follows. Have to do this in two parts, but here's half of the AVG scan result. I deleted all threats that were found, as per recommendation of scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:48:20 PM 1/19/2007

+ Scan result:

C:\Documents and Settings\Evelyn\Local Settings\Temp\asmfiles.cab/asm.exe -> Adware.Altnet : No action taken.
C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : No action taken.
C:\Program Files\Microsoft AntiSpyware\Quarantine\C4CA5F0C-EFB9-4F0B-A907-1CDCD6\4CDBDFE0-CAEF-42E2-B75C-C57265 -> Adware.P2PNet : No action taken.
C:\Program Files\Microsoft AntiSpyware\Quarantine\C4CA5F0C-EFB9-4F0B-A907-1CDCD6\9612210D-B883-4E2A-B494-044C75 -> Adware.P2PNet : No action taken.
C:\temp\SearchRelevancy.exe -> Adware.Relevance : No action taken.
C:\temp\SAHPackage.exe -> Adware.Sahat : No action taken.
C:\temp\sahagent.exe -> Adware.Sahat : No action taken.
C:\Documents and Settings\Evelyn\Start Menu\Programs\Startup\DLHelperEXE.exe -> Adware.Thumper : No action taken.
C:\Documents and Settings\Evelyn\Local Settings\Temp\temp.cab/toolbar.dll -> Adware.Wintol : No action taken.
C:\Documents and Settings\Evelyn\Local Settings\Temp\toolbar.dll -> Adware.Wintol : No action taken.
C:\WINDOWS\system32\qos.dll -> Backdoor.Zapchast : No action taken.
C:\Documents and Settings\Evelyn\Local Settings\Temporary Internet Files\Content.IE5\I9OJUTQ5\popcaploader1[1].cab/PopCapLoader.dll -> Not-A-Virus.Downloader.Win32.PopCap.c : No action taken.
:mozilla.116:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.24:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.25:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.26:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.27:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.28:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.61:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.62:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.63:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.64:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.65:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.69:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.70:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.71:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.72:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.73:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.74:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.75:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.76:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.77:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.78:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.79:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.80:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.81:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.82:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.83:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Evelyn\Cookies\evelyn@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : No action taken.
:mozilla.106:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.107:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.53:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.54:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.55:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Adserver : No action taken.
:mozilla.126:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.127:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.128:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.129:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.34:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.37:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.38:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.39:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Advertising : No action taken.
:mozilla.10:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.16:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.56:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Atdmt : No action taken.
:mozilla.139:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Bfast : No action taken.
:mozilla.210:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Bfast : No action taken.
:mozilla.211:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Bfast : No action taken.
:mozilla.243:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Bluestreak : No action taken.
:mozilla.34:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Bluestreak : No action taken.
:mozilla.28:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.29:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.30:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.31:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.Bridgetrack : No action taken.
:mozilla.154:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.155:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.101:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.102:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.103:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.145:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.266:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.267:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Centrport : No action taken.
:mozilla.111:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.151:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.207:C:\Documents and Settings\evelyn goldschmidt\Application Data\Phoenix\Profiles\default\uflyb6vr.slt\cookies.txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.159:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Profiles\default\qsztej1d.slt\cookies.txt -> TrackingCookie.Directnetadvertising : No action taken. MORE FOLLOWS.

bamajim · Answer

evisha

Your welcome

Yes the character limitations here are a pain.

I noticed in your AVG log you posted

C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : No action taken.

When it should say Quarantined

I need you to recheck the settings on AVG and re run it. You don't need to repost the entire log, just one or 2 lines so I will know it did it's job.

The critical settings are:

Open AVG Anti-Spyware

At the top toolbar Click Scanner Then the settings tab

Under How to act? Set default action for detected malwareTo Quarantine

Run AVG Anti-Spyware
Click scanner
Select Complete system scan

Once the scan finishes

Select Apply all actions (The items found will be quarantined)

Then re run Hijackthis and post a fresh Hijackthis log. And post a couple of lines from AVG so I will know the setting were corrected.

bamajim Graduate of MRU

evisha · Answer

Hi again Jim. Interesting -- even though AVG deleted or quarantined all that stuff earlier, it found more stuff this time!! There were a few cookies and some more:

C:\System Volume Information\_restore{641B3B08-0C9B-4431-BE06-0966FAB92D4D}\RP152\A0046000.ocx -> Adware.Coupons : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{641B3B08-0C9B-4431-BE06-0966FAB92D4D}\RP152\A0045999.exe -> Adware.Thumper : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{641B3B08-0C9B-4431-BE06-0966FAB92D4D}\RP152\A0045998.dll -> Adware.Wintol : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{641B3B08-0C9B-4431-BE06-0966FAB92D4D}\RP152\A0045997.dll -> Backdoor.Zapchast : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:C:\Documents and Settings\evelyn goldschmidt\Application Data\Mozilla\Firefox\Profiles\4vwzpdls.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.13:C:\Documents and Settings\evelyn goldschmidt\Application
AND SOME MORE COOKIES.

THE NEW HIJACK THIS FILE FOLLOWS.

evisha · Answer

What the heck is the macrovision flexnet service? (FNP licensing???) i can't remember seeing this before. it takes forever to load when i boot up the system. can this be something from adobe (since i very recently loaded acrobat 8)?? thank you again. i really appreciate the help.

evelyn

evisha · Answer

Here's the newest Hijack This file:

Logfile of HijackThis v1.99.1
Scan saved at 12:51:58 AM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\windowsautomaticupdates.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EZ Firewall.lnk = C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_link
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mathxl.com
O15 - Trusted Zone: http://*.pearsoncmg.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://qcmail.qc.cuny.edu/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122787608812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128171706203
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://winkflash.com/photo/loaders/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Windows Automatic Updates - Stanford University - C:\WINDOWS\system32\windowsautomaticupdates.exe

and again I want to say thanks. Can't believe you're really there that fast and reliably! Evelyn

bamajim · Answer

evisha To answer your question about 'What the heck is the macrovision flexnet service? (FNP licensing???)' Here is a LINK. If you didn't install this on purpose, Then you can remove it through Add/Remove Programs 1. Rerun the batch file on your Desktop I had you create earlier. 2. Rerun Hijackthis (scan only) and place a check beside the following entries R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - (no file)O18 - Filter: text/html - (no CLSID) - (no file) Close all other open windows except Hijackthis and Select ' Fix checked' Close Hijackthis and Reboot your PC 3. 1. Download this file - combofix.exe 2. Double click combofix.exe & follow the prompts. 3. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Your reply should include a fresh Hijackthis log Your log from combofix Note: you may have to post the results oin more than one reply bamajim   Graduate of MRU

evisha · Answer

and here's the hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 10:35:15 PM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Creative\ShareDLL\Mediadet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_link
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_exclude
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=065M7X68&id=menu_ie_report
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mathxl.com
O15 - Trusted Zone: http://*.pearsoncmg.com
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/installers/TestGenXInstall.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://qcmail.qc.cuny.edu/iNotes6.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122787608812
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128171706203
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://winkflash.com/photo/loaders/ImageUploader4.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelgraphics.com/bin/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe

evisha · Answer

jim you're taking so much time for me -- i really appreciate this.
here's the combofix log:
"evelyn goldschmidt" - 07-01-20 22:07:58 Service Pack 2
ComboFix 07-01-21 - Running from: "C:\Documents and Settings\evelyn goldschmidt\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\INSTALL.LOG
C:\WINDOWS\hosts

((((((((((((((((((((((((((((((( Files Created from 2006-12-20 to 2007-01-20 ))))))))))))))))))))))))))))))))))

2007-01-20 11:04d-------- C:\Program Files\Cablenut
2007-01-20 11:03d-------- C:\Program Files\Common Files\Agnitum Shared
2007-01-20 11:02d-------- C:\Program Files\Agnitum
2007-01-20 10:47d-------- C:\pc world guides
2007-01-19 16:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-18 21:33d-------- C:\Program Files\Common Files\Macrovision Shared
2007-01-18 21:20d-------- C:\WINDOWS\SxsCaPendDel
2007-01-18 20:28d-------- C:\DOCUME~1\EVELYN~1\.housecall6.6
2007-01-18 20:24d-------- C:\Program Files\RogueRemover
2007-01-18 17:26d-------- C:\WINDOWS\system32\ActiveScan
2007-01-18 06:56d-------- C:\SDFix
2007-01-18 06:42d-------- C:\VundoFix Backups
2007-01-17 17:55d-------- C:\DOCUME~1\EVELYN~1\Application Data\Intuit
2007-01-17 17:53d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\Intuit
2007-01-17 17:52d-------- C:\Program Files\Common Files\Intuit
2007-01-17 17:51d-------- C:\Program Files\TurboTax
2007-01-17 17:51d-------- C:\DOCUME~1\EVELYN~1\Application Data\InstallShield
2007-01-17 15:55d-------- C:\aaaresearch
2007-01-07 16:05d-------- C:\DOCUME~1\ALLUSE~1.WIN\Application Data\FLEXnet
2007-01-07 12:00d-------- C:\aanonamecalling
2007-01-06 17:23d-------- C:\americorps
2007-01-01 17:09d-------- C:\thunderbird2
2007-01-01 14:31d-------- C:\archives
2007-01-01 11:22d-------- C:\aaagchs

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-01-20 22:03 -------- d-------- C:\Program Files\hijackthis
2007-01-20 22:01 -------- d-------- C:\Program Files\pokerstars
2007-01-20 22:01 -------- d-------- C:\Program Files\mozilla firefox
2007-01-20 14:51 -------- d-------- C:\DOCUME~1\EVELYN~1\Application Data\avg7
2007-01-20 14:22 -------- d-------- C:\Program Files\zango applications
2007-01-20 08:30 -------- d-------- C:\Program Files\avanquest update
2007-01-19 20:39 -------- d-------- C:\Program Files\ultimatebet
2007-01-19 20:38 -------- d-------- C:\Program Files\viewpoint
2007-01-19 20:34 -------- d-------- C:\Program Files\tripeaks_2.0
2007-01-19 16:08 -------- d-------- C:\Program Files\grisoft
2007-01-18 21:29 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-18 18:49 -------- d-------- C:\Program Files\morpheus
2007-01-18 18:24 -------- d-------- C:\Program Files\ad muncher
2007-01-17 18:35 -------- d-------- C:\DOCUME~1\EVELYN~1\Application Data\adobeum
2007-01-17 17:54 -------- d--h----- C:\Program Files\installshield installation information
2007-01-14 22:50 -------- d-------- C:\Program Files\trillian
2007-01-10 17:00 3350 --ahs---- C:\WINDOWS\system32\kgygaavl.sys
2007-01-08 16:44 -------- d-------- C:\Program Files\math path 2004 trl
2007-01-07 16:06 -------- d-------- C:\DOCUME~1\EVELYN~1\Application Data\adobe
2006-12-24 00:14 -------- d-------- C:\Program Files\gamehouse
2006-12-10 15:11 -------- d-------- C:\Program Files\msn messenger
2006-12-09 14:20 -------- d-------- C:\Program Files\java
2006-12-06 06:35 -------- d-------- C:\DOCUME~1\EVELYN~1\Application Data\u3
2006-12-03 15:57 -------- d-------- C:\DOCUME~1\EVELYN~1\Application Data\real
2006-12-03 15:56 -------- d-------- C:\Program Files\Common Files\real
2006-11-23 13:38 -------- d-------- C:\Program Files\dynamic gaming systems
2006-11-22 19:53 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-22 19:53 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-22 19:53 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-22 19:53 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-22 19:53 18240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-10-30 19:21 4 --a------ C:\WINDOWS\uccspecb.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Disc Detector"="C:\\Program Files\\Creative\\ShareDLL\\CtNotify.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"Acrobat Assistant 8.0"="\"C:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe\""
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~3.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^EZ Firewall.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\EZ Firewall.lnk"
"backup"="C:\\WINDOWS\\pss\\EZ Firewall.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\CA\\eTrust EZ Armor\\eTrust EZ Firewall\\ca.exe -nopopup"
"item"="EZ Firewall"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Status Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\Status Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\Status Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Brother\\Brmfcmon\\BrMfcWnd.exe Brother MFC-420CN /STARTUP"
"item"="Status Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^evelyn goldschmidt^Start Menu^Programs^Startup^Morpheus.lnk]
"path"="C:\\Documents and Settings\\evelyn goldschmidt\\Start Menu\\Programs\\Startup\\Morpheus.lnk"
"backup"="C:\\WINDOWS\\pss\\Morpheus.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Morpheus\\Morpheus.exe -min"
"item"="Morpheus"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgas"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad Muncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdMunch"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ad Muncher\\AdMunch.exe /bt"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="caissdt"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CA\\eTrust Internet Security Suite\\caissdt.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="brctrcen"
"hkey"="HKLM"
"command"="C:\\Program Files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IndexSearch"
"hkey"="HKLM"
"command"="C:\\Program Files\\ScanSoft\\PaperPort\\IndexSearch.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OutpostFeedBack]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="feedback"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Agnitum\\OUTPOS~1.0\\feedback.exe /dump:os_startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pptd40nt"
"hkey"="HKLM"
"command"="C:\\Program Files\\ScanSoft\\PaperPort\\pptd40nt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="printray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\2\\printray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SemanticInsight]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SemanticInsight"
"hkey"="HKLM"
"command"="C:\\Program Files\\RXToolBar\\Semantic Insight\\SemanticInsight.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BrStDvPt"
"hkey"="HKLM"
"command"="C:\\Program Files\\Brother\\Brmfl04a\\BrStDvPt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SSBkgdupdate"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe\" -Embedding -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="type32"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=dword:00000003
"SQLSERVERAGENT"=dword:00000003
"MSSQLServerADHelper"=dword:00000003
"MSSQLSERVER"=dword:00000002
"KodakCCS"=dword:00000003
"wuauserv"=dword:00000002
"wscsvc"=dword:00000002
"SENS"=dword:00000002
"seclogon"=dword:00000002
"Schedule"=dword:00000002
"VETMSGNT"=dword:00000002
"Creative Service for CDROM Access"=dword:00000002
"CAISafe"=dword:00000002
"Windows Automatic Updates"=dword:00000002
"AVG Anti-Spyware Guard"=dword:00000002
"mnmsrvc"=dword:00000003
"FLEXnet Licensing Service"=dword:00000003

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{aa24a854-38ba-11d8-b4bb-806d6172696f}]
Shell\AutoRun\command E:\AUTORUN\AUTORUN.EXE

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis entries SET to ignore ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WIND
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\SDMsgUpdate (SmartDrawTrial).job

Completion time: 07-01-20 22:30:11

evisha · Answer

LOL -- I can solve the mystery on two of those files very easily!!!

aaanonamecalling is a directory i created with lesson plans for (guess what) a no-name calling or dissing unit for next term. (i teach special ed high school and these kids really need it!!)

aaagchs is the directory i save all my lessons and worksheets in!

(obviously the "aaa" keeps them at the top of my directory list.....)

sorry if they made you crazy!!!

i have no idea what the third file is though. we'll find out now.

you are the best -- i'll do the rest of your instructions now.

evelyn

bamajim · Answer

evisha

Your most welcome.

We need to do 2 things at this point

1. Re Run Hijackthis

At the Main window select " Open the misc tool section"
Then select " Open uninstall manager"
Then " save list" and save it to your desktop

Copy and paste that list as a reply to this thread

2. You have a couple suspicious files I want to check

C:\aanonamecalling
C:\aaagchs
C:\WINDOWS\uccspecb.sys

Please upload this file to Jotti's Online Virus Scan

C:\aanonamecalling

Click " Browse" at the top of the page
- Navigate to (Locate)
- C:\aanonamecalling
- Click " Open" Then the "Submit" and let the scan finish
- Scroll down to the bottom of the page to find the results
- Copy/paste the results in your next reply.

And do the same for the other 2 files also

Your reply should include
Your uninstall list from Hijackthis
The results of the Jotti online scans

bamajim · Answer

evisha

Yes Hijackthis is a good tool. But be careful, it's just as easy to do harm as it is good. The file you mentioned, I 'd leave it.

There were actually 3 files I needed checked, did you get the results on the third? C:\WINDOWS\uccspecb.sys

You do have some programs that need to go though.

1. Go to Add/Remove Programs (Click Start->>Control Panel->>Add/Remove Programs)
And uninstall the following

PartyPoker
PokerStars
Secure Delivery

Close Add/Remove Programs->>reboot your PC

Rerun Hijackthis and post a fresh Hijackthis log and the results of the third file

bamajim Graduate of MRU

evisha · Answer

Looks like this is benign. I didn't know there were this many virus scans available online!! Thanks.

Service load:
0% 100%
File: uccspecb.sys
Status:
OK
MD5 c2fe5cd06141998e38e77d4228d85e8a
Packers detected:
-
Scanner results
Scan taken on 22 Jan 2007 00:48:10 (GMT)
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Virus & Spyware

HIJACK THIS LOG FILE - PLEASE HELP!!

Was this post helpful?