# Solved: viruses please help



## chulksmack (Apr 21, 2006)

ive got a few files i that i cant get rid of or move it says it failed to do both can you please help?

Spyware.Webhancer.Y
Spyware.Webhancer.AE
Adware.Webhancer.BI
Adware.Webhancer.BI two of these.
Adware.Webhancer.Y


----------



## Cheeseball81 (Mar 3, 2004)

What location were they found in


----------



## chulksmack (Apr 21, 2006)

c:\documents and settings\us\local settings\temporary internet files\content.ie5\14yufeoq\whcc-trafe7[1].exe=>(RAR Sfx o)=>webhdll.dll

that one is the .BI one

c:\documents and settings\us\local settings\temporary internet files\content.ie5\14yufeoq\whcc-trafe7[1].exe=>(RAR Sfx o)=>whInstaller.exe

thats the second .BI one

c:\documents and settings\us\local settings\temporary internet files\content.ie5\14yufeoq\whcc-trafe7[1].exe=>(RAR Sfx o)=>whAgent.exe

thats the .AE one

c:\documents and settings\us\local settings\temporary internet files\content.ie5\14yufeoq\whcc-trafe7[1].exe=>(RAR Sfx o)=>readme.txt

thats .Y

c:\documents and settings\us\local settings\temporary internet files\content.ie5\14yufeoq\whcc-trafe7[1].exe=>(RAR Sfx o)=>whiehlpr.dll

thats the other .Y


----------



## chulksmack (Apr 21, 2006)

here is my HJT log if it helps if there is anything else wrong with it please let me know

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:10 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Steam\Steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcclan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Tooltipizer - {C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A} - C:\WINDOWS\system32\adssitesuggest.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [LifeChat] "C:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [WindowsLivePhone] "C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe" /AutoRun
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jacob\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8489 bytes


----------



## Cheeseball81 (Mar 3, 2004)

* *Click here* to download *ATF Cleaner* by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.

Under *Main* choose: *Select All*

Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*

Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.



*If you use Opera:*
Click *Opera* at the top and choose: *Select All*

Click the *Empty Selected* button.

*

[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.



Click *Exit* on the Main menu to close the program.


Run *ActiveScan* online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. 
Post the contents of the ActiveScan report.


----------



## chulksmack (Apr 21, 2006)

ok so i did the atf one and everything emptied on that except the all user temp the program went not responding. the active scan downloaded all the files and got to where i had to click my computer and it said error on page and wouldnt let me. not sure what to do now?


----------



## Cheeseball81 (Mar 3, 2004)

Download the Trial version of *Superantispyware Pro (SAS)*: 
http://www.superantispyware.com/superantispyware.html?rid=3132

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
· Click close and close again to exit the program.
· Please paste that information here for me with a new Hijack This log.


----------



## chulksmack (Apr 21, 2006)

here is the superantispyware log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/08/2007 at 02:15 PM

Application Version : 3.9.1008

Core Rules Database Version : 3358
Trace Rules Database Version: 1357

Scan type : Complete Scan
Total Scan Time : 02:44:53

Memory items scanned : 611
Memory threats detected : 0
Registry items scanned : 5774
Registry threats detected : 10
File items scanned : 158978
File threats detected : 60

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}
HKCR\CLSID\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}
HKCR\CLSID\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}
HKCR\CLSID\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}\InprocServer32
HKCR\CLSID\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}\InprocServer32#ThreadingModel
HKCR\CLSID\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}\ProgID
HKCR\CLSID\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}\Programmable
HKCR\CLSID\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}\TypeLib
HKCR\CLSID\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\ADSSITESUGGEST.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C004D9F0-A742-4DC7-AFD0-BC29CE3FE04A}

Adware.Tracking Cookie
C:\Documents and Settings\Us\Cookies\[email protected][2].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected]o[1].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][2].txt
C:\Documents and Settings\Us\Cookies\[email protected][2].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][2].txt
C:\Documents and Settings\Us\Cookies\[email protected][2].txt
C:\Documents and Settings\Us\Cookies\[email protected][2].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Us\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][2].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][2].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][2].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][2].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][2].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][2].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Jacob\Cookies\[email protected][1].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][1].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][1].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][2].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][2].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][2].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][1].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][2].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][1].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][2].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][1].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][2].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][1].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][3].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][2].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][1].txt
C:\Documents and Settings\Kirsti\Cookies\[email protected][2].txt

Adware.AdRotator/AdsSite
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6A7C4F5A-CA02-4770-AA29-E3FD6D3A656C}\RP192\A0050621.DLL

Adware.AdRotator/RightOnz
C:\WINDOWS\SYSTEM32\RIGHTONADZ-UNINST.EXE

here is my new hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:16 PM, on 12/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.arcclan.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [LifeChat] "C:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [WindowsLivePhone] "C:\PROGRA~1\MSNMES~1\DEVICE~1\msgrdvmn.exe" /AutoRun
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jacob\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O10 - Unknown file in Winsock LSP: xfire_lsp_10908.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8535 bytes


----------



## Cheeseball81 (Mar 3, 2004)

Are you still having problems/detections


----------



## chulksmack (Apr 21, 2006)

yes it is still being detected


----------



## Cheeseball81 (Mar 3, 2004)

In the content.ie5 folder?


----------



## chulksmack (Apr 21, 2006)

yes same place as posted above still


----------



## Cheeseball81 (Mar 3, 2004)

Run the *ATF Cleaner* in *Safe Mode*.

Quit Internet Explorer and quit any instances of Windows Explorer. 
Click Start, click Control Panel, and then double-click Internet Options. 
On the General tab, click Delete Files under Temporary Internet Files. 
In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK. 
Click OK.


----------



## chulksmack (Apr 21, 2006)

Thank you very much... everything apears to be gone.  Nice work Ma'am..


----------



## Cheeseball81 (Mar 3, 2004)

My pleasure 

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer.

Turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

You can mark your thread "Solved" from the *Thread Tools* drop down menu.


----------

