Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

bbbrown89

6 Posts

799

July 4th, 2006 13:00

Titan shield - need fix

titan shield is home page, continued pop ups, generally a huge nuisance!
Logfile of HijackThis v1.99.1
Scan saved at 8:52:59 AM, on 7/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\DOCUME~1\Dad\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\users32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\niohaole.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dad\Desktop\HJT.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - (no file)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: adobepnl.ADOBE_PANEL - {A40D9D65-5C09-421A-AFF8-2160D7ABD4E7} - C:\WINDOWS\system32\adobepnl.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)
 

bamajim

10.4K Posts

July 5th, 2006 11:00

bbbrown89

Please go here

And Download SmitFraudFix by S!ri


Extract all the archive content to your desktop
• Search:
o Double-click smitfraudfix.cmd
o Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Open that file, Ctrl+A to copy, and post a copy of that log as a reply to this thread


Do Not run option 2 until instructed to do so



bamajim

Training at Malware Removal University

bbbrown89

6 Posts

July 5th, 2006 22:00

bamajim,

here's the report from rapport.txt

But the titanshield icon is still in the lower right

Thanks!

SmitFraudFix v2.67

Scan done at 11:20:54.20, Tue 07/04/2006
Run from C:\Documents and Settings\Dad\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\alexaie.dll Deleted
C:\WINDOWS\alxie328.dll Deleted
C:\WINDOWS\alxtb1.dll Deleted
C:\WINDOWS\about_spyware_bg.gif Deleted
C:\WINDOWS\about_spyware_bottom.gif Deleted
C:\WINDOWS\as.gif Deleted
C:\WINDOWS\as_header.gif Deleted
C:\WINDOWS\bg.gif Deleted
C:\WINDOWS\box_1.gif Deleted
C:\WINDOWS\box_2.gif Deleted
C:\WINDOWS\box_3.gif Deleted
C:\WINDOWS\BTGrab.dll Deleted
C:\WINDOWS\button_buynow.gif Deleted
C:\WINDOWS\button_freescan.gif Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\dlmax.dll Deleted
C:\WINDOWS\download_box.gif Deleted
C:\WINDOWS\features.gif Deleted
C:\WINDOWS\footer_back.gif Deleted
C:\WINDOWS\footer_back.jpg Deleted
C:\WINDOWS\header_1.gif Deleted
C:\WINDOWS\header_2.gif Deleted
C:\WINDOWS\header_3.gif Deleted
C:\WINDOWS\header_4.gif Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\main_back.gif Deleted
C:\WINDOWS\Pynix.dll Deleted
C:\WINDOWS\rf.gif Deleted
C:\WINDOWS\rf_header.gif Deleted
C:\WINDOWS\scan_btn.gif Deleted
C:\WINDOWS\security-center-bg.gif Deleted
C:\WINDOWS\security-center-logo.gif Deleted
C:\WINDOWS\security_center_caption.gif Deleted
C:\WINDOWS\sep_hor.gif Deleted
C:\WINDOWS\sep_vert.gif Deleted
C:\WINDOWS\spacer.gif Deleted
C:\WINDOWS\spacer.gif' Deleted
C:\WINDOWS\spyware-detected.gif Deleted
C:\WINDOWS\star.gif Deleted
C:\WINDOWS\star_gray.gif Deleted
C:\WINDOWS\star_gray_small.gif Deleted
C:\WINDOWS\star_small.gif Deleted
C:\WINDOWS\ts.gif Deleted
C:\WINDOWS\ts_header.gif Deleted
C:\WINDOWS\susp.exe Deleted
C:\WINDOWS\v.gif Deleted
C:\WINDOWS\warning_icon.gif Deleted
C:\WINDOWS\warning-bar-ico.gif Deleted
C:\WINDOWS\win_logo.gif Deleted
C:\WINDOWS\x.gif Deleted
C:\WINDOWS\ZServ.dll Deleted
C:\WINDOWS\system32\a.exe Deleted
C:\WINDOWS\system32\adobepnl.dll Deleted
C:\WINDOWS\system32\alxres.dll Deleted
C:\WINDOWS\system32\bridge.dll Deleted
C:\WINDOWS\system32\dailytoolbar.dll Deleted
C:\WINDOWS\system32\jao.dll Deleted
C:\WINDOWS\system32\qjrkvy.exe Deleted
C:\WINDOWS\system32\questmod.dll Deleted
C:\WINDOWS\system32\runsrv32.dll Deleted
C:\WINDOWS\system32\runsrv32.exe Deleted
C:\WINDOWS\system32\taskdir.dll Deleted
C:\WINDOWS\system32\taskdir.exe Deleted
C:\WINDOWS\system32\tcpservice2.exe Deleted
C:\WINDOWS\system32\thlwin32.dll Deleted
C:\WINDOWS\system32\txfdb32.dll Deleted
C:\WINDOWS\system32\udpmod.dll Deleted
C:\WINDOWS\system32\users32.exe Deleted
C:\WINDOWS\system32\winflash.dll Deleted
C:\WINDOWS\system32\wstart.dll Deleted
C:\WINDOWS\system32\zlbw.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
 
Registry Cleaning done.
 
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

 

Bugbatter

4 Apprentice

 • 

20.5K Posts

July 5th, 2006 23:00

According to bamajim's instructions: "Do Not run option 2 until instructed to do so" you should have run only Option 1. It appears that you have run Option 2 instead.

In that case, we'll try to clean things up a different way.

Please print these instructions so you can refer to them easily. That way you can follow them exactly.

Download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

  2. Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  3. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. Right click on ewido in the system tray and uncheck "Start with Windows".
  4. >
  5. Go to Start > Run and type: services.msc
  6. Press "OK".
  7. In Services, click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
  8. When you find the guard service, double-click on it.
  9. In the Properties Window > General Tab that opens, click the "Stop" button.
  10. From the drop-down menu next to "Startup Type", click on "Manual".
  11. Now click "Apply", then "OK" and close the Services window
  12. Once the setup is complete you will need run ewido and update the definition files.
  13. On the main screen select the icon "Update". Tthen select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you are having problems with the updater, manually update with the Ewido Full database installer from here.
    • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
    • Under "Reports"
      • Select "Automatically generate report after every scan"
      • Un-Select "Only if threats were found"
      • Close Ewido anti-spyware, Do Not run a scan just yet.

        1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
        2. IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
        3. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
        4. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
        5. ewido will now begin the scanning process, be patient this may take a little time.
        6. Once the scan is complete do the following:
        7. If you have any infections you will prompted, then select "Apply all actions"
        8. Next select the "Reports" icon at the top.
        9. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
        10. Close ewido and reboot your system back into Normal Mode.

          Download roguescanfix_setup.

          Doubleclick roguescanfix_setup to install it.

          After the installation, you will be prompted if you would like to run roguescanfix now. Click "YES" to start the tool.

          When you start roguescanfix.bat you'll see a menu:
          1. Run Roguescanfix
          2. Run sharedtasksrem

          Choose option 1 by typing "1".

          Note: This tool needs internet connection because it downloads an additional file to let the tool work properly.
          If your firewall gives an alert, allow it instead of blocking it.
          In case you still get the message BFU.exe is not present, download BFU.zip from here:
          http://www.merijn.org/files/bfu.zip.
          Unzip it and place BFU.exe in the c:\program files\roguescanfix-folder. Then doubleclick Roguescanfix.bat again.

          The tool will uninstall some programs and delete related files and registrykeys.
          When some files won't get deleted, it will ask you to reboot your system to delete the files after reboot.
          Please make sure the uninstall of the programs are finished before you click Yes to reboot.

          A textfile will open. Place the contents of that file in your next reply, along with a new Hijackthis logfile.
          (The textfile can also be found at c:\program files\roguescanfix\task.txt)

          Also please post the results of the ewido report scan.

      Let us know how things are running at that point. Thanks. :)

      bbbrown89

      6 Posts

      July 6th, 2006 10:00

      The instructions that I printed out for smitfraud said to select #2 - Clean - in safe mode (???).  Either way, the problem appears to be solved... no pop ups, no home page hijack, etc although the titanshield icon is still there.  Is it necessary to run ewido at this point? 

      Thanks!!

      Bugbatter

      4 Apprentice

       • 

      20.5K Posts

      July 6th, 2006 15:00

      If you still have the Titan Shield icon and you cannot remove it, part of the infection remains.

      bbbrown89

      6 Posts

      July 9th, 2006 12:00

      Ewido report:

      wido anti-spyware - Scan Report
      ---------------------------------------------------------

       + Created at: 11:04:22 AM 7/8/2006

       + Scan result: 

       

      C:\WINDOWS\Downloaded Program Files\vzbb.dll -> Adware.MegaSearch : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\niohaole.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\pahfupfo.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\abonylex.exe -> Downloader.VB.afr : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\iukarxjs.exe -> Downloader.VB.afr : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\jlpuxvdg.pgn -> Hijacker.Small.js : Cleaned with backup (quarantined).
      C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\ipod.raw.exe -> Proxy.Lager.aq : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@mrsupergames.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
      C:\Documents and Settings\Dad\Cookies\dad@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
      C:\Documents and Settings\Dad\Cookies\dad@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
      C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@com[2].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
      C:\Documents and Settings\Dad\Cookies\dad@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@twci.coremetrics[1].txt -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
      C:\Documents and Settings\Dad\Cookies\dad@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@e-2dj6wfkikhd5ocp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@ehg-pokemonusa.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@ehg-warnerbrothers.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@ehg-clearchannel.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@ehg-hollywoodmedia.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@ehg-upperdeck.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@phg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@phg.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@counter2.hitslink[2].txt -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Local Settings\Temp\Cookies\hayden@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@data4.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
      C:\Documents and Settings\Dad\Cookies\dad@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Dad\Cookies\dad@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@--.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@--.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
      C:\Documents and Settings\Dad\Cookies\dad@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
      C:\Documents and Settings\Dad\Cookies\dad@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hayden\Cookies\hayden@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
      C:\Documents and Settings\Hogan\Cookies\hogan@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@c1.zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
      C:\Documents and Settings\Mom\Cookies\mom@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
      C:\WINDOWS\system32\phqghume.exe -> Trojan.Small : Cleaned with backup (quarantined).


      ::Report end

      I tried to send with the actual ewido report but the forum administrator would not allow it to be sent and gave this message:

      "The message body contains the following prohibited content: '  '  You must remove this content before submitting your post"  (in red).  I found 2 entries with (initials for Bull Stuff) and replaced each with "--"

      The titan shiled icon is still in the lower right and a balloon to the icon will occasionslly appear with something about "Trend Micro PC-cillan Internet Security may be out of date".  This program came with the software page from Dell and is on me desktop but I have never activated it.  

      Thanks!! 

      Bugbatter

      4 Apprentice

       • 

      20.5K Posts

      July 9th, 2006 15:00

      As requested above, please post your report from RoguescanFix.
      Are you sure that is the TitanShield icon and not that of PC-cillin?

      Message Edited by Bugbatter on 07-09-200611:22 AM

      bbbrown89

      6 Posts

      July 9th, 2006 17:00

      Apologies, thought I had included the roguescanfix report - see below.
      The icon looks the same as the icon from titanshield... rightclick on the icon shows the same choices as titanshield: "Open Security Center" and "Go to Microsoft Security Website".  I have not clicked on the balloon as directed in the PC-cillan balloon nor have I selected the choices offered when right clicked.   
       
      Export SharedTaskScheduler key
      ------------------------------
      REGEDIT4
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
      "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
      "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

       

      Bugbatter

      4 Apprentice

       • 

      20.5K Posts

      July 9th, 2006 19:00

      Titan Shield disguised itself as the Windows Security Center.
      http://www.bleepingcomputer.com/forums/topic55288.html

      According to your reports, Titan Shield is gone. Perhaps the icon that you are seeing is the legitimate one for the Windows Security Center. The Security Center lets you check the status of your security settings, and is alerting you that PC-cillin has expired.

      http://www.microsoft.com/windowsxp/using/security/internet/sp2_wscintro.mspx

      Let's run Disk Cleanup in each user's profile:
      Click "Start > Programs > Accessories > System Tools > Disk Cleanup"
      Please make sure the following are checked:
      -- Downloaded Program Files
      -- Temporary Internet Files
      -- Recycle Bin
      -- Temporary Files
      Click "OK" and Disk Cleanup will delete those files for you.

      Please post a fresh HijackThis log. Thanks. :)

      bbbrown89

      6 Posts

      July 10th, 2006 17:00

      Disk cleanup completed for all users, HJT report below:

      Logfile of HijackThis v1.99.1
      Scan saved at 1:35:17 PM, on 7/10/2006
      Platform: Windows XP SP2 (WinNT 5.01.2600)
      MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\System32\svchost.exe
      C:\WINDOWS\system32\LEXBCES.EXE
      C:\WINDOWS\system32\spoolsv.exe
      C:\WINDOWS\system32\LEXPPS.EXE
      C:\WINDOWS\ehome\ehtray.exe
      C:\WINDOWS\system32\hkcmd.exe
      C:\WINDOWS\system32\igfxpers.exe
      C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
      C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
      C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
      C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
      C:\WINDOWS\system32\Rundll32.exe
      C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
      C:\Program Files\Real\RealPlayer\RealPlay.exe
      C:\WINDOWS\system32\dla\tfswctrl.exe
      C:\DOCUME~1\Dad\LOCALS~1\Temp\clclean.0001
      C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
      C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
      C:\WINDOWS\system32\CTsvcCDA.EXE
      C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
      C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
      C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
      C:\WINDOWS\eHome\ehRecvr.exe
      C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
      C:\WINDOWS\eHome\ehSched.exe
      C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
      C:\WINDOWS\system32\dllhost.exe
      C:\WINDOWS\system32\wscntfy.exe
      C:\WINDOWS\eHome\ehmsas.exe
      C:\WINDOWS\System32\svchost.exe
      C:\Program Files\ewido anti-spyware 4.0\ewido.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\igfxsrvc.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\explorer.exe
      C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      C:\WINDOWS\system32\winlogon.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Documents and Settings\Dad\Desktop\HJT.exe

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wfaa.com/
      R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
      O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
      O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
      O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
      O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
      O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - C:\WINDOWS\DOWNLO~1\vzbb.dll (file missing)
      O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
      O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
      O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
      O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
      O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
      O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
      O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
      O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
      O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
      O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
      O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
      O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
      O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
      O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
      O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
      O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
      O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
      O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
      O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
      O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
      O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
      O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
      O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
      O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
      O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
      O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk DWF Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
      O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
      O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
      O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
      O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
      O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
      O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
      O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
      O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
      O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe (file missing)
      O23 - Service: Trend Micro Personal Firewall (TmPfw) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe (file missing)
      O23 - Service: Trend Micro Proxy Service (tmproxy) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe (file missing)

       

      Bugbatter

      4 Apprentice

       • 

      20.5K Posts

      July 11th, 2006 01:00

      Your log appears to be clean, except that I cannot find info on this file: clclean.0001
      If you do not know what it is, end process on it in Task Manager (ctrl+Alt+Delete) and delete it.

      Your Java needs to be updated.
      Please follow these steps to remove older version Java components:

      1. Close any open programs you may have running, especially your web
      browser
      2. Click Start > Control Panel
      * Depending on your OS or configuration, you may have to click Start
      >Settings > Control Panel
      3. Open Add or Remove Programs
      * If you have Windows 98 or Windows 2000, open Add/Remove
      Programs
      4. Click once on any item listing Java Runtime Environment in the name
      * Not every version of Java will begin with "Java" so be sure to read
      each entry in the list
      5. Click the Remove or Change/Remove button
      6. Follow steps 4 and 5 as many times as necessary to remove all
      versions of Java. ** If at any time during the uninstallations, you are asked to reboot, do so. Then return to Add/Remove and continue removing any other versions of Java until all components of Java have been removed.
      7. Delete the Java folder in Program Files.
      8. Proceed with reinstalling Java. You will need to use Internet Explorer for this.
      Go to Sun Java and click the link to download the Windows (Offline Installation) package: Save it, do not run it.

      When the download is complete, close the browser and install it.

      Reboot.

      Please move your HijackThis and the Backups folder that it has created on your Desktop to one folder:
      Rightclick on an empty space on your desktop and choose New > Folder
      Name it HijackThis (HJT, or whatever)
      Rightclick HijackThis.exe, choose Cut.
      Doubleclick (to open) the folder you created.
      Rightclick inside and choose Paste.

      If you have another user account on that computer, please post a HijackThis log from that user. Thanks.

      Was this post helpful?

      View All

      0 events found

      No Events found!

      Top