# Newbie in Hell: Mouse Hijacked



## AbsentMindedProf (Aug 11, 2006)

`My pc's mouse is being hijacked and I don't know what to do. I've run my pc's anti-spyware and anti-virus software and found my pc is infected with javabyteverify!exploit. I don't know if this is what is taking over control of the cursor, so that it moves erratically around the edges of the monitor, opening and closing windows and apps at what seems like random. I am able to regain temporary control of the cursor in three ways:

1. Unplugging the mouse for over 10 or 20 seconds.
2. Putting my pc into standby mode and then restarting it.
3. Shutting my pc down and restarting it.

I have contacted HP/Compaq's online chat and followed their suggestions to clear my pc's temp folder, caches, and disable third party browsers to no avail.

I've run HijackThis, and here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 12:55:53 PM, on 8/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Yahoo!\YOP\yop.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\caaviftest.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/294b4aeb0d9ebec78d18/netzip/RdxIE601.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121164709156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133550979671
O16 - DPF: {6EE39BFC-2FB6-4B69-9D05-CFC10E4F5B3E} (MavenBootInstallerAXControl Class) - http://client.maven.net/client/mavenBootInstaller.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37960.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/verizonyahoo/TrueInstallVerizonYahoo.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O18 - Protocol: maven-8110 - {4F024AF2-3C77-4A18-9910-87E5DDC7B0D5} - C:\Program Files\foxmovies (2)\bin\bin-0\protocolHandler.dll
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe

I am at my wits end. Any help you can give me in knowing how to correct this and get my pc back will be greatly appreciated!

Sincerely,
Eric M


----------



## khazars (Feb 15, 2004)

hi, welcome to TSG.

you don't appear to have a firewall, even if you have a router you still need
a software frewall, downlaod the one from the link below!

Filseclab Personal Firewall Professional Edition

http://www.filseclab.com/eng/download/downloads.htm

http://www.download.com/Filseclab-Pe...8.html?tag=dir

use this site to confgure filseclab , see page 7 and post 165 of that thread!

http://www.wilderssecurity.com/showthread.php?t=92710

Use this site's shields up to test filseclab and see if it is stealthing, some rules may have to be changed to " out " to pass the tests!

http://grc.com/

Download ewido!

http://www.ewido.net/en/

* Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
* Once the setup is complete you will need run Ewido and update the definition files.
* On the main screen select the icon "Update" then select the "Update now" link.
* Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
* Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
* Once in the Settings screen click on "Recommended actions" and then select "Delete"
* Under "Reports"
* Select "Automatically generate report after every scan"
* Un-Select "Only if threats were found"

Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.

* Click here to download ATF Cleaner by Atribune and save it to your desktop.

http://majorgeeks.com/ATF_Cleaner_d4949.html

* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.
o If you use Firefox:
+ Click Firefox at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
o If you use Opera:
+ Click Opera at the top and choose: Select All
+ Click the Empty Selected button.
+ NOTE: If you would like to keep your saved passwords, please click No at the prompt.
* Click Exit on the Main menu to close the program.

* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.

* Restart your computer into safe mode now. Perform the following steps in
safe mode:

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/Activ...veLauncher.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/294b4aeb...p/RdxIE601.cab
O16 - DPF: {6EE39BFC-2FB6-4B69-9D05-CFC10E4F5B3E} (MavenBootInstallerAXControl Class) - http://client.maven.net/client/mavenBootInstaller.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37960.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/verizonyah...rizonYahoo.exe

Run Ewido!

# IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
# Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
# Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
# Ewido will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
# If you have any infections you will prompted, then select "Apply all actions"
# Next select the "Reports" icon at the top.
# Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
# Close Ewido and reboot your system back into Normal Mode.

reboot to normal mode and run a few online scans!

Make sure your ActiveX controls are set as follows:

Go to Internet Options - Security - Internet, press 'default level', then OK.
Now press "Custom Level."

In the ActiveX section, set the first two options (Download signed and 
unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX 
controls not marked as safe" to 'disable'.

Active X settings

http://www.compu-docs.com/activex.htm

Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!

post another hijack this log, the ewido and active scan logs


----------



## khazars (Feb 15, 2004)

Do you have Sun's java, or Microsoft's java VM? 
* Go to Control Panel > Java. On the General tab under Temporary Internet 
Files" click the "Delete Files" button to clear the Java cache. Or open 
Java and clcik clear cache for older version of Java! If you have 
Microsoft's uninstall it and download Sun's java.

http://www.helpwithwindows.com/WindowsXP/howto-21.html

http://java.com/en/download/help/cache_virus.jsp

this is the download page for Sun's Java

http://java.com/en/download/manual.jsp


----------



## AbsentMindedProf (Aug 11, 2006)

Thank-you for the help. I've dled the firewall and will complete all the other steps Monday. I have to get away from my pc for the weekend so I can destress before taking on this task. Have a great weekend! I'll post a new highjack this once I complete all the steps Monday.

Eric M


----------



## khazars (Feb 15, 2004)

ok!


----------



## AbsentMindedProf (Aug 11, 2006)

Hello again. Sorry it has taken me so long to post again. I've spent the last week grappling with whatever garbageware is hijacking my puter. I have done as much of what has been recommended as I can on my own. The activescan report of the items I don't know how to remove, or whether to remove, is as follows:

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf  
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_current_user\software\MyWebSearch 
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM 
Potentially unwanted tool:application/need2find Not disinfected HKEY_CLASSES_ROOT\Interface\{4D1C4E8A-A32A-416B-BCDB-33B3EF3617D3} 
Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287} 
Possible Virus. Not disinfected C:\Documents and Settings\AbsentMindedProf\Desktop\atf-cleaner.exe 
Possible Virus. Not disinfected C:\Documents and Settings\AbsentMindedProf\Local Settings\Temporary Internet Files\Content.IE5\E5IVEPMX\atf-cleaner[1].exe 
Needless to say, my cursor is still being hijacked. Another bit of information that I hope may help diagnose my problem; whatever the garbageware is that is causing my problems, it seems to have deinstalled the software for my printer, an HP deskjet3600 model, and removed it from my pc's register of hardware. I've reinstalled the HP and hopefully it will stay installed. Only time will tell.

How do I remove these items detected by the activescan? Thanks again for the help.

Eric M


----------



## khazars (Feb 15, 2004)

can you post the ewido log and another hijakc this log?



find and delete this file!


c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf


----------



## AbsentMindedProf (Aug 11, 2006)

khazars said:


> can you post the ewido log and another hijakc this log?
> 
> find and delete this file!
> 
> c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf


I'll the ewido and hijack this in my next post. I tried to find f3initialsetup1.0.0.15.inf in the downloaded program files, but it wasn't there. (Unless it is hidden somehow.)

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 7:53:21 PM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Filseclab Messenger.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121164709156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133550979671
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O18 - Protocol: maven-8110 - {4F024AF2-3C77-4A18-9910-87E5DDC7B0D5} - C:\Program Files\foxmovies (2)\bin\bin-0\protocolHandler.dll
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at:	7:26:40 PM 8/17/2006

+ Scan result:

C:\Documents and Settings\AbsentMindedProf\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\S-1-5-21-3588848991-3528696865-2937950479-500\Dc10.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-3588848991-3528696865-2937950479-500\Dc11.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\AbsentMindedProf\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\RECYCLER\S-1-5-21-3588848991-3528696865-2937950479-500\Dc12.txt -> TrackingCookie.Tribalfusion : Cleaned.

::Report end

I tried to copy and paste the names from the windows/downloaded program files to this report, but my pc just beeped every time I tried to copy the highlighted titles. I'll write them down and type them into another post in the morning.

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

File list from c:\Windows\downloaded program files:

Program file name/status/size:
(. . . Indicates file name not completely displayed in folder listing.)

{1D4DB7D2-6EC . . . unknown 4kb
{49232000-16e4 . . . damaged 84kb
ActiveScan Instal . . . Installed 134kb
asusTek_sysctrl (all after this
are installed.) 80kb
dldisplay Class 76kb
GDIChk Object 68kb
InstallerAX Class 152kb
Java Runtime En. . . 4kb
Java Runtime En. . . None
Java Runtime En. . . None
MicrosoftXML Pa. . . 160kb
MSN Chat Contro. . . 504ln
MUWebControl Cl. . . 180kb
OC WebInstaller 2,188kb
Reg ProopsCtrl Class 4kb
SecureLogin class 24kb
Shockwave Activ. . . 4kb
Shockwave Flash. . . 8kb
Support.com Con. . . 240kb
Symantec AntiVir. . . 1,208kb
Symantec RU FSI. . . 164kb
Windows Genuin. . . 564kb
WUWebControl C. . . 176kb


----------



## khazars (Feb 15, 2004)

Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.

Open Spysweeper and click on Options > Program Options.
Uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.
Leave it disabled until we are finished here.

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

have hijack this fix these entries. close all browsers and programmes before
clicking FIX.

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Double-click on Killbox.exe to run it. Now put a tick by Delete on 
Reboot. In the "Full Path of File to Delete" box, copy and paste each 
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file. 
It will ask for confimation to delete the file on next reboot. Click 
Yes. It will then ask if you want to reboot now. Click No. Continue 
with that same procedure until you have copied and pasted all of 
these in the "Paste Full Path of File to Delete" box.Then click yes 
to reboot after you entered the last one.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you 
don't miss any.

You have spysweeper run a full system scan with it and save the log it makes and post it back here!

c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf

go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk 
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the 
immunize button.

Download Superantispyware.

http://www.superantispyware.com/

Once downloaded and installed update the defintions
and then run a full system scan quarantine what it finds!

All tools can be downloaded at the link below and found on that page!

. SUPERAntiSpyware 
. SpyBot search and destroy
. AdAware SE personal

http://www.majorgeeks.com/downloads31.html

Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!

post another log, the sysweeper and the kaspersky log!


----------



## khazars (Feb 15, 2004)

Can you post a log from normal mode the next time!


----------



## AbsentMindedProf (Aug 11, 2006)

khazars said:


> Can you post a log from normal mode the next time!


Here is the latest hijack this scan taken in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 11:34:06 AM, on 8/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Filseclab Messenger.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121164709156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133550979671
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O18 - Protocol: maven-8110 - {4F024AF2-3C77-4A18-9910-87E5DDC7B0D5} - C:\Program Files\foxmovies (2)\bin\bin-0\protocolHandler.dll
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I dled and ran spybot, and it didn't find any threats. I've also uninstalled the drivers for the mechanical mouse and subsequently reloaded the drivers for the light mouse from disk, in case whatever is causing the problem is hidden in one or both sets of drivers. The problem remains.

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

SuperAntiSpyware discovered and quarantined, (I hope), MyWay. Should I leave this program in quarantine, or erase it?

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

I've noticed the last few times I've restarted my PC an "end program" pop-up has come up to close hpotdd01.exe. Is this a program that should be running, or should I erase it? Many thanks again for all the help.

Eric M


----------



## khazars (Feb 15, 2004)

you cna disable this in msconfig hpotdd01.exe. Go to start/run/tpye msconfig/click selective startup/click startup and uncheck the box for hpotdd01.

you can have superanti delete myway!

CLean log! How's the computer running now any better?

If you don't have an anti virus programme then download and instlal this one!

Anti-vir

http://www.free-av.com/

You should now turn off system restore to flush out the bad restore points and
then re-enable it and make a new clean restore point.

How to turn off system restore

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

http://support.microsoft.com/default.aspx?scid=kb;[LN];310405

Here's some free tools to keep you from getting infected in the future.

To stop reinfection get spywareblaster from

http://www.javacoolsoftware.com/downloads.html

get the hosts file from here.Unzip it to a folder!

http://www.mvps.org/winhelp2002/hosts.htm

put it into : or click the mvps bat and it should do it for you!

Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS

ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

when you visit innocent-looking sites that aren't actually innocent at all.

http://www.spywarewarrior.com/uiuc/resource.htm

Arovax shield: stop your computer from being hijacked!

http://www.arovaxshield.com/

Use spybot's immunize button and use spywareblaster' enable 
protection once you update it. you can put spybot's hosts file into 
your own and lock it.

I would also suggest switching to Mozilla's firefox browser, it's safer, has 
a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good 
e-mail client.

http://www.mozilla.org/

Another good and free browser is Opera!

http://www.opera.com/

Read here to see how to tighten your security:

http://forums.techguy.org/t208517.html

A good overall guide for firewalls, anti-virus, and anti-trojans as well as 
regular spyware cleaners.

http://www.firewallguide.com/anti-trojan.htm

you can mark your own thread solved through thread tools at the top of 
the page.


----------



## AbsentMindedProf (Aug 11, 2006)

It seems that I am still having my cursor hijacked. I've noticed three files inside the Windows file that look strange. (The second and third are hilighted in blue, whereas all the rest are in black.):

$hf_mig$
$NtUninstallKB921398$
$NtUninstallKB922616$

Are these a problem, or just part of the windows op files?

Eric M


----------



## Cookiegal (Aug 27, 2003)

Those are service pack files/updates so not a problem.


Please post a new HijackThis log.


----------



## AbsentMindedProf (Aug 11, 2006)

Something is very wrong with my PC. My 144 GB C drive, which should have around 50 to 60 GB free, had only 7.1 GB free this morning. (It may have been low for quite a while, as I don't normally check that when I open 'my computer'. I ran the atf cleaner and that brought the free memory space up to 8.5 GB. That leaves around 50 GB of memory unaccounted for. Could the spyware/virus my PC has have done this? If so, how can I find and erase whatever files it created? I'll post a new hijack this after I restart. (Btw, now I can no longer use the light activated mouse, as even when I reinstall the drivers for it from disk and restart, my pc says that the mouse is not plugged in. ('no plugged' is what is displayed when the puter begins to start up.)

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 9:41:17 AM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Arovax Shield] "C:\Program Files\Arovax Shield\ArovaxShield.exe" -tray
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: Filseclab Messenger.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121164709156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133550979671
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O18 - Protocol: maven-8110 - {4F024AF2-3C77-4A18-9910-87E5DDC7B0D5} - C:\Program Files\foxmovies (2)\bin\bin-0\protocolHandler.dll
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

Question: When I ran the Avira Antivirus scan, (Luke Filewalker), it didn't detect any viruses. However, it did have a few hundred 'warning's. I'm running it again, and at 20% complete it is up to 145 'warnings'. What are warnings? Is this an indication of spyware/malware or other problems?

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

AbsentMindedProf said:


> File list from c:\Windows\downloaded program files:
> 
> Program file name/status/size:
> (. . . Indicates file name not completely displayed in folder listing.)
> ...


----------



## AbsentMindedProf (Aug 11, 2006)

Incident Status Location

Adware:adware/cydoor Not disinfected c:\windows\cdmxtras 
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_current_user\software\MyWebSearch 
Potentially unwanted tool:application/funweb Not disinfected hkey_local_machine\software\Fun Web Products 
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM 
Potentially unwanted tool:application/myway Not disinfected hkey_current_user\software\netscape\netscape navigator\automation shutdown\MyWayToolBar.NetscapeShutdown.1 
Potentially unwanted tool:application/need2find Not disinfected HKEY_CLASSES_ROOT\Interface\{4D1C4E8A-A32A-416B-BCDB-33B3EF3617D3} 
Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287} 
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\AbsentMindedProf\Cookies\[email protected][1].txt 
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe 
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F5C170BB-5EA3-4E97-9A6D-57110C\BE720464-94B7-427E-B3E0-7A7E21 
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll


----------



## Cookiegal (Aug 27, 2003)

Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

*Click here* for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

Reboot back to Normal Mode!


Go to the *WinPFind folder*
Locate *WinPFind.txt*
Copy and paste WinPFind.txt in your next post here please.


----------



## AbsentMindedProf (Aug 11, 2006)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
aspack 9/10/2005 11:50:22 AM 545280 C:\WINDOWS\flashax.exe
UPX! 3/31/2003 5:00:00 AM 43133 C:\WINDOWS\fw.exe
aspack 9/10/2005 11:50:26 AM 192000 C:\WINDOWS\Guinness.scr
aspack 9/10/2005 11:49:12 AM 194560 C:\WINDOWS\Guinness_Bread.scr
aspack 11/9/2004 11:31:58 PM 192000 C:\WINDOWS\mms_movienight_PC.scr
aspack 2/8/2005 7:32:56 PM 192000 C:\WINDOWS\screensaver.scr
aspack 1/20/2005 9:36:48 PM 194560 C:\WINDOWS\screensaver_domestic.scr
aspack 6/1/2005 9:50:42 AM 194560 C:\WINDOWS\screensaver_flag.scr

Checking %System% folder...
UPX! 12/2/2005 9:31:00 AM 478208 C:\WINDOWS\SYSTEM32\aswBoot.exe
aspack 3/18/2005 6:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 5/26/2005 4:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 7/22/2005 8:59:04 PM 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
aspack 12/5/2005 7:09:18 PM 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll
PEC2 2/12/2004 9:05:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 8/9/2005 6:14:00 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 8/9/2005 6:14:00 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PEC2 5/25/2005 9:30:46 PM 128000 C:\WINDOWS\SYSTEM32\Dsslji.dat
PTech 6/19/2006 4:19:42 PM 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 8/2/2006 9:22:50 PM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/2/2006 9:22:50 PM 8255912 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 3/9/2005 5:45:02 PM 972134 C:\WINDOWS\SYSTEM32\Naked News Program One.scr
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 2/12/2004 12:24:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 6/19/2006 4:19:26 PM 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/22/2006 7:57:06 PM S 2048 C:\WINDOWS\bootstat.dat
8/21/2006 9:53:52 PM H 54156 C:\WINDOWS\QTFont.qfn
7/5/2006 8:21:58 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB917422.cat
7/28/2006 8:16:08 AM S 23751 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB918899.cat
7/27/2006 10:00:28 AM S 10337 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920214.cat
7/21/2006 5:03:14 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920670.cat
6/26/2006 3:47:22 PM S 11929 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB920683.cat
7/13/2006 10:24:46 AM S 13050 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921398.cat
7/14/2006 12:13:00 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB921883.cat
7/14/2006 11:53:20 AM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB922616.cat
8/22/2006 7:56:56 PM H 8192 C:\WINDOWS\system32\config\default.LOG
8/22/2006 7:57:30 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
8/22/2006 7:57:08 PM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
8/22/2006 7:58:24 PM H 94208 C:\WINDOWS\system32\config\software.LOG
8/22/2006 7:57:46 PM H 999424 C:\WINDOWS\system32\config\system.LOG
8/9/2006 9:34:10 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
8/22/2006 2:07:56 PM H 1024 C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
7/24/2006 2:37:16 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\a6acbbaa-74ea-45e2-bce7-66d2c16253e9
7/24/2006 2:37:16 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
8/22/2006 7:48:30 PM H 6 C:\WINDOWS\Tasks\SA.DAT
8/22/2006 6:00:16 PM H 430 C:\WINDOWS\Tasks\{B48B72B7-CFDD-4E24-AF44-04AC5AC765FE}_YOUR-C8BH3JAGLT_AbsentMindedProf.job

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 9/20/2004 3:20:44 PM 16121856 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 2/11/2004 11:34:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 2/11/2004 11:52:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 2/11/2004 11:58:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 2/11/2004 11:34:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 2/11/2004 11:52:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 2/11/2004 11:58:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation 2/10/2004 9:53:24 PM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp. 2/10/2004 4:19:32 AM 14224384 C:\WINDOWS\SYSTEM32\ReinstallBackups\0011\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
4/2/2004 4:03:38 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/15/2006 1:16:54 PM 561 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Filseclab Messenger.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/18/2006 1:23:46 PM 305 C:\Documents and Settings\All Users\Application Data\addr_file.html
4/1/2004 7:56:54 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/18/2006 9:18:28 AM 2556 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
4/2/2004 4:03:38 AM HS 84 C:\Documents and Settings\AbsentMindedProf\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
3/16/2005 9:45:02 PM 1649 C:\Documents and Settings\AbsentMindedProf\Application Data\AdobeDLM.log
4/1/2004 7:56:54 PM HS 62 C:\Documents and Settings\AbsentMindedProf\Application Data\desktop.ini
3/16/2005 9:45:02 PM 0  C:\Documents and Settings\AbsentMindedProf\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Erasext
{8BE13461-936F-11D1-A87D-444553540000} = C:\PROGRA~1\Eraser\erasext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ZLAVShExt
{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
Adobe PDF Reader Link Helper = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31FF080D-12A3-439A-A2EF-4BA95A3148E8}
bho2gr Class = C:\Program Files\GetRight\xx2gr.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
UberButton Class = C:\Program Files\Yahoo!\Common\yiesrvc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65D886A2-7CA7-479B-BB95-14D1EFB7946A}
YahooTaggedBM Class = C:\Program Files\Yahoo!\Common\YIeTagBm.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}
SidebarAutoLaunch Class = C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console	: C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
ButtonText = Verizon Yahoo! Services	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{99FEA1A2-7881-11D1-A9E2-00403320FCF2}
ButtonText = Bug Swatter Options	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{A1100DDB-B277-4CAA-A640-B299D79FE25E}
ButtonText = Popup Slapdown Options	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B1100DDB-B277-4CAA-A640-B299D79FE25E}
ButtonText = Phishing Net Options	: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger	: C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
Shell Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
= 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = : 
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address	: %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = : 
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = : 
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar	:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WheelMouse	Amoumain.exe
SunJavaUpdateSched	"C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
XFILTER	"C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
!ewido	"C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
QuickTime Task	"C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe	"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
KBD	C:\HP\KBD\KBD.EXE
ccApp	"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
HP Software Update	"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HP Component Manager	"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
HPDJ Taskbar Utility	C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
Arovax Shield	"C:\Program Files\Arovax Shield\ArovaxShield.exe" -tray
LanzarL2007	"C:\DOCUME~1\ABSENT~1\LOCALS~1\Temp\{BF1EEA46-53C3-4929-BDA2-AFA1C8FA8EE8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Yahoo! Pager	"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
SUPERAntiSpyware	"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^AbsentMindedProf^Start Menu^Programs^Startup^TrueAssistant.lnk
path	C:\Documents and Settings\AbsentMindedProf\Start Menu\Programs\Startup\TrueAssistant.lnk
backup	C:\WINDOWS\pss\TrueAssistant.lnkStartup
location	Startup
command	C:\PROGRA~1\TRUEAS~1\TRUEAS~1.EXE 
item	TrueAssistant
path	C:\Documents and Settings\AbsentMindedProf\Start Menu\Programs\Startup\TrueAssistant.lnk
backup	C:\WINDOWS\pss\TrueAssistant.lnkStartup
location	Startup
command	C:\PROGRA~1\TRUEAS~1\TRUEAS~1.EXE 
item	TrueAssistant

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup	C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\COMPAQ~1\1940576\Program\BACKWE~1.EXE -startup
item	Compaq Connections
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
backup	C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\COMPAQ~1\1940576\Program\BACKWE~1.EXE -startup
item	Compaq Connections

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup	C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h
item	Kodak EasyShare software
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup	C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h
item	Kodak EasyShare software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup	C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~1.EXE 
item	Kodak software updater
path	C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup	C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup
location	Common Startup
command	C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~1.EXE 
item	Kodak software updater

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\A Verizon App
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	VERIZO~1
hkey	HKLM
command	C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	VERIZO~1
hkey	HKLM
command	C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AGRSMMSG
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	AGRSMMSG
hkey	HKLM
command	AGRSMMSG.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	AGRSMMSG
hkey	HKLM
command	AGRSMMSG.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AlcxMonitor
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ALCXMNTR
hkey	HKLM
command	ALCXMNTR.EXE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ALCXMNTR
hkey	HKLM
command	ALCXMNTR.EXE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_CC
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	avgcc
hkey	HKLM
command	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	avgcc
hkey	HKLM
command	C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AVG7_Run
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	avgw
hkey	HKCU
command	C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	avgw
hkey	HKCU
command	C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CaAvTray
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	CAVTray
hkey	HKLM
command	"C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	CAVTray
hkey	HKLM
command	"C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CAVRID
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	CAVRID
hkey	HKLM
command	"C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	CAVRID
hkey	HKLM
command	"C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DeviceDiscovery
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpotdd01
hkey	HKLM
command	"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	hpotdd01
hkey	HKLM
command	"C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe"
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Eraser
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	eraser
hkey	HKCU
command	C:\Program Files\Eraser\eraser.exe -hide
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	eraser
hkey	HKCU
command	C:\Program Files\Eraser\eraser.exe -hide
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Felix II
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Felix2
hkey	HKCU
command	C:\Program Files\ScreenMates\Felix II\Felix2.exe
inimapping	0
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	Felix2
hkey	HKCU
command	C:\Program Files\ScreenMates\Felix II\Felix2.exe
inimapping	0


----------



## AbsentMindedProf (Aug 11, 2006)

There is no way that I can post the rest of the WinPFind log. This MB only allows posts of up to 30,000 characters and the log is over 70,000 characters long. (I've been trying for over half an hour to figure out a way to cut and paste the rest of the log in 30,000 character increments before I lose control of my cursor. It can't be done.)

Is there an email address that I could send the log to for review, and, if possible to be posted here?

If there is, send it to me at [email protected], and I will forward the log. Thank-you!

Eric M


----------



## Cookiegal (Aug 27, 2003)

Uload it as an attachment please. 

Click on "manage attachments" below the dialog box and then browse to the file and upload it.


----------



## AbsentMindedProf (Aug 11, 2006)

Oops! I was so frazzled yeterday, I didn't even think of adding the log as an attatchment. Sorry!

Anyhow its attatched to this post. 

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

Panda Antivirus 2007 incident report

EVENT DATE RESULTS ADDITIONAL INFORMATION 
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scan completed 08/23/06 09:43:40 Scan: All hard disks 
Dialer detected: Dialer.HOI 08/23/06 09:29:07 Eliminated Location: C:\WINDOWS\Downloaded Program Files\ActiveSecurity.INF 
Tracking program detected: Application/MyWay 08/23/06 09:25:16 Eliminated Location: C:\RECYCLER\S-1-5-21-3588848991-3528696865-2937950479-500\Dc2\myBar\1.bin\MY2NS.EXE 
Tracking program detected: Application/MyWebSearch 08/23/06 09:22:00 Eliminated Location: C:\Program Files\Uninstall My Web Search.dll 
Tracking program detected: Application/MyWebSearch 08/23/06 09:14:49 Eliminated Location: C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll 
Tracking program detected: Application/MyWay 08/23/06 09:12:30 Eliminated Location: C:\Program Files\Microsoft AntiSpyware\Quarantine\F5C170BB-5EA3-4E97-9A6D-57110C\BE720464-94B7-427E-B3E0-7A7E21 
Tracking program detected: Application/KillApp.B 08/23/06 09:03:21 Eliminated Location: C:\hp\bin\KillIt.exe 
Scan started 08/23/06 08:47:54 Scan: All hard disks 
Scan completed 08/23/06 08:46:33 Scan: All My Computer 
Scan started 08/23/06 08:46:09 Scan: All My Computer 
Scan completed 08/23/06 08:10:33 Scan: All My Computer 
Scan started 08/23/06 08:09:32 Scan: All My Computer 
Update 08/23/06 08:08:40 OK Identifiers of alteration of archives 
Update 08/23/06 08:08:31 OK New threat signatures: 8277 
I bought Panda Antivirus 2007, updated it, and ran it. Here are the viruses it removed. It seems that I am still having the problem with my cursor.

Eric M


----------



## Cookiegal (Aug 27, 2003)

Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

I'm attaching a FixAbsent.zip file to this post. Save it to your desktop but don't do anything with it yet. We will use it later in safe mode.

Read here about BoontyGames. I would unistall it. Since it won't uninstall from Add/Remove programs, delete it's folder in Program Files.

http://www.castlecops.com/o23list-1744.html

Go to *Control Panel* - *Add/Remove programs* and remove the following, if there:

*Click Here* and download Killbox and save it to your desktop but don't run it yet.

Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click *fix checked*.

* 
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab

O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
*

Then boot to safe mode:

 *How to restart to safe mode*

Double-click on Killbox.exe to run it. 

Put a tick by *Standard File Kill*. 
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

*C:\WINDOWS\SYSTEM32\Dsslji.dat

c:\windows\cdmxtras
*

Click on the button that has the red circle with the X in the middle after you enter each file. 
It will ask for confirmation to delete the file. 
Click Yes. 
Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
Killbox may tell you that one or more files do not exist. 
If that happens, just continue on with all the files. Be sure you don't miss any.
Next in Killbox go to *Tools > Delete Temp Files*
In the window that pops up, put a check by *ALL* the options there *except* these three:
XP Prefetch
Recent
History

Now click the *Delete Selected Temp Files* button.
Exit the Killbox.

Boot back to Windows normally and post another HijackThis log please.


----------



## AbsentMindedProf (Aug 11, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 1:28:25 PM, on 8/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Arovax Shield] "C:\Program Files\Arovax Shield\ArovaxShield.exe" -tray
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ABSENT~1\LOCALS~1\Temp\{BF1EEA46-53C3-4929-BDA2-AFA1C8FA8EE8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Global Startup: Filseclab Messenger.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121164709156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133550979671
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O18 - Protocol: maven-8110 - {4F024AF2-3C77-4A18-9910-87E5DDC7B0D5} - C:\Program Files\foxmovies (2)\bin\bin-0\protocolHandler.dll
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


----------



## Cookiegal (Aug 27, 2003)

The log looks fine. How are things running now?


----------



## AbsentMindedProf (Aug 11, 2006)

I'm still having problems with losing control of the cursor. Can the zip file I downloaded be of help? 

Eric M


----------



## Cookiegal (Aug 27, 2003)

Anything is possible. You haven't run it yet?


----------



## AbsentMindedProf (Aug 11, 2006)

I just ran it in safe mode and it added a file to my pc registry. Is it supposed to do more than that?

Btw, (And I hate to say this), I may have invited trouble in through the front door. I recently bought a game online, Civilization III, while I am fairly certain that I bought it after my problem started, it well could be harboring something nasty. I beileve that I bought it from gamespot, but, as you say, anything is possible.

I am pretty much at the end of my rope at this point. I'm guessing there isn't much else to be done to try and fix my pc. (Perhaps the virus/spyware/malware that is creating the problem is either too old for scans to bother with, or too new for them to know about. In either case it leaves me somewhat out in the cold.)

Thank-you for all your help. If there is anything else that we haven't tried, please let me know. All the best to you and your's!

Eric M


----------



## Cookiegal (Aug 27, 2003)

Do you still have a system restore point from an earlier date or had you flushed them and created a new one as per khazars instructions?


----------



## AbsentMindedProf (Aug 11, 2006)

I flushed the restore points. However, I may not need them. After running fixabsent.exe, things seem to be o.k. again. I'll mark this one solved! Many thanks!

Eric M


----------



## Cookiegal (Aug 27, 2003)

You're welcome. 

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

To turn off system restore, on the Desktop, right click on *My Computer* and click on *Properties.*
Click the *System Restore* tab.
Check *Turn off System Restore.*
Click Apply and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a new restore point, click on *Start*  *All Programs*  *Accessories*  *System Tools* and then select *System Restore*.

In the System Restore wizard, select *Create a restore point* and click the Next button.

Type a name for your new restore point then click on Create.

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your temporary files:*

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

Go to Start - Run and type *%temp%* in the Run box. The Temp folder will open. Click *Edit - Select All* then hit *Delete* to delete the entire contents of the Temp folder.

Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

While still in safe mode, go to Start - Run and copy and paste then click OK:

*shell:cache\content.ie5*

This should open your content.ie5 folder. Select everything in there and click delete. You will not be able to delete the index.bat file and thats normal.

*Empty the recycle bin*.


----------



## AbsentMindedProf (Aug 11, 2006)

Well, it seems that I spoke too soon. My pc still seems to be infected with something that takes control of my cursor. (I don't know if during my activities yesterday, which included playing Civilization III, I may have reactivated or reloaded whatever had been eliminated, or if the programming of the infestation allows for periods of inactivity to add further frustration to the victims.)

Hewlett-Packard's online chat support mentioned something about system recovery, which they also mentioned would be very destructive. (That was just before they realized that my pc was just out of waranty, and wanted $120.00 for an extended waranty.)

Given that all my resore points are gone, is there anything short of recovery that I can try?

Eric M

Hijack This Scan:

Logfile of HijackThis v1.99.1
Scan saved at 7:27:33 AM, on 8/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AvltMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Arovax Shield] "C:\Program Files\Arovax Shield\ArovaxShield.exe" -tray
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ABSENT~1\LOCALS~1\Temp\{BF1EEA46-53C3-4929-BDA2-AFA1C8FA8EE8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Global Startup: Filseclab Messenger.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121164709156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133550979671
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O18 - Protocol: maven-8110 - {4F024AF2-3C77-4A18-9910-87E5DDC7B0D5} - C:\Program Files\foxmovies (2)\bin\bin-0\protocolHandler.dll
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Boonty Games - Unknown owner - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


----------



## Cookiegal (Aug 27, 2003)

Please do not start a new thread for the same problem.

I've merged your new thread here.


----------



## Cookiegal (Aug 27, 2003)

Where did you download the game from?


----------



## AbsentMindedProf (Aug 11, 2006)

I bought the game from Trymedia Systems, Inc..http://d.trymedia.com/d/infogrames/

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

l uninstalled Civilization III with the add/remove programs utility and am still having my problem with the hijacked cursor. (I presume this doesn't mean that civ III wasn't the cause of my problem. I might just mean that the uninstall removed the game, but left the virus behind.)

Here is the latest hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:19:16 AM, on 8/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\HijackThis.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Arovax Shield] "C:\Program Files\Arovax Shield\ArovaxShield.exe" -tray
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ABSENT~1\LOCALS~1\Temp\{BF1EEA46-53C3-4929-BDA2-AFA1C8FA8EE8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Filseclab Messenger.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121164709156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133550979671
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EFB3481-F1F0-43B1-A0C0-2FDD0FDC5DAB}: NameServer = 71.243.0.12 71.250.0.12
O18 - Protocol: maven-8110 - {4F024AF2-3C77-4A18-9910-87E5DDC7B0D5} - C:\Program Files\foxmovies (2)\bin\bin-0\protocolHandler.dll
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Boonty Games - Unknown owner - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I'll tell you one thing, this is the last time I buy software online. I'm off for the weekend to destress with my g/f. Have a great weekend.

Eric M


----------



## Cookiegal (Aug 27, 2003)

Did you ever try another mouse to see if it worked properly?

Download *Combofix* to your desktop.

Doubleclick *combo.exe*and follow the prompts.

*Do NOT click on the window while the fix is running because that will cause your system to hang.*

When finished and after reboot, it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.


----------



## AbsentMindedProf (Aug 11, 2006)

I've attatched the logs:

Eric M


----------



## Cookiegal (Aug 27, 2003)

Please run another Panda scan and post the results.

*Click here* to download Silent Runners.
Save (do not choose open) it to the desktop.
Run SilentRunners by double clicking the "SilentRunners" icon on your desktop.
You will see a text file appear on the desktop - *it's not done, let it run (it won't appear to be doing anything!)*
Once you receive the prompt *All Done!*, open the text file on the desktop, copy that entire log, and paste it here.
**NOTE* If you receive any warning message about scripts, please choose to allow the script to run.*


----------



## AbsentMindedProf (Aug 11, 2006)

I cannot run Silent Runners. When I double click on it, I get a pop-up saying that Windows cannot run this file type and needs to know what program was used to create it. When I let my pc look for the correct program online, I get this page:

" Microsoft Windows File Associations 
Windows Home Pages | 


Windows has the following information about this file type. This page will help you find software needed to open your file. 



File Type: Unknown 

Description: Windows does not recognize this file type. 

The following Web sites have a comprehensive list of file extensions. You might be able to find information about this file type there: 
FILExt 




Have questions? See these Frequently Asked Questions. 


--------------------------------------------------------------------------------
Copyright (c)2001 Microsoft Corporation. All rights reserved. Terms of Use | Disability/accessibility | Privacy Statement/"

Is there something I need to change in my pc's settings to let it run Silent Runners? I'm running WindowsXP Home Version with Service Pack 2.

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

I ran Panda Antivirus 2007, and it didn't find anything. I still cannot get Silent Runners to run.

Eric M


----------



## Cookiegal (Aug 27, 2003)

You will probably need windows scripting host 5.6 to get it to run.

http://www.microsoft.com/downloads/...43-7E4B-4622-86EB-95A22B832CAA&displaylang=en


----------



## AbsentMindedProf (Aug 11, 2006)

Cookiegal said:


> You will probably need windows scripting host 5.6 to get it to run.
> 
> http://www.microsoft.com/downloads/...43-7E4B-4622-86EB-95A22B832CAA&displaylang=en


That did the trick. I've attatched the log from Silent Runners.

I've also emailed Panda tech support, and they sent me a link to the ActiveScanPro, which I will run tonight. (I ran it for a while earlier, and from the way it progressed, it will take most of the night to run a full scan. I'll post the results tomorrow.)

Have a good night!

Eric M


----------



## Cookiegal (Aug 27, 2003)

I don't see anything there either.

Can you please explain exactly what it happening in detail?


----------



## AbsentMindedProf (Aug 11, 2006)

Cookiegal said:


> I don't see anything there either.
> 
> Can you please explain exactly what it happening in detail?


Certainly. After my pc starts up, I have between a few clicks of my mouse to a few dozen clicks before I lose control of the cursor. When I lose control the cursor can do one of a number of things; shoot to the upper right or lower left hand corner of the screen and stay there, scroll up and down the left hand side of the screen, scroll across the bottom of the screen, or move erratically around the screen. While doing this it moves the toolbar from the bottom of the screen to the left hand edge of the screen and locks it there. It also opens numerous task pop-ups, the toolbar options screen, closes open internet page screens and opens others. (These things happen when I click the mouse or move it around. It doesn't have any effect on the keyboard's opperations, which is how I am able to perform around 80% of the things I need to.)

I have discovered three ways to regain temporary control of the cursor with the mouse: restart my pc, put my pc into stand-by mode and bring it out again, or move the mouse around quickly and at random until the cursor comes back under my control. However, the second two methods only work so many times, usually less than three or four times, and I have to restart my pc again.

Also, the Filescab firewall I installed is still sending me pop-ups saying that is has blocked a trojan horse attack on my pc, in case that may be related to this problem:

10011 Deny svchost TCP/In 68.160.0.193/3341 204.70.151.94/80 0/62 8/30/2006 12:29:17 PMACK SYN RECV|RT:10|No.10011 built-in Rules C:\WINDOWS\System32\svchost.exe

10011 Deny svchost TCP/In 68.160.0.193/2944 208.172.65.62/80 0/62 8/30/2006 12:29:17 PMACK SYN RECV|RT:10|No.10011 built-in Rules C:\WINDOWS\System32\svchost.exe

The three names I spotted were Universal P, Rover or Roger, and ScannerScout(?).

Btw, it looks like the ActivePro scan will a lot longer than I thought to do a full scan. I will post the log as soon as it is done.

This is driving me completely nuts! I hope we can fix this, as I cannot afford to pay a tech person to come over and look at my pc. Many thanks for your help so far.

Eric M


----------



## Cookiegal (Aug 27, 2003)

How many user profiles are there on this computer?

Download RootkitRevealer from *here* (link is at the very bottom of the page).
Unzip it to your desktop.
Open the RootkitRevealer folder and double-click *rootkitrevealer.exe*
Click the *Scan* button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to *File - Save*. Choose to save it to your desktop.
Open *RootkitRevealer.txt* on your desktop and copy the entire contents and paste them here.


----------



## Cookiegal (Aug 27, 2003)

Also, do you recognize these screen savers? Did you intentionally download them?

C:\WINDOWS\Guinness_Bread.scr
C:\WINDOWS\mms_movienight_PC.scr
C:\WINDOWS\screensaver.scr
C:\WINDOWS\screensaver_domestic.scr
C:\WINDOWS\screensaver_flag.scr
C:\WINDOWS\SYSTEM32\Naked News Program One.scr


----------



## AbsentMindedProf (Aug 11, 2006)

Here is the rootkitrevealer log:

I have two user accounts on my pc, Owner and EricM.

Eric M


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.

Also, open HijackThis.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*
Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## AbsentMindedProf (Aug 11, 2006)

I've attatched the startuplist log. 

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

Cookiegal said:


> Also, do you recognize these screen savers? Did you intentionally download them?
> 
> C:\WINDOWS\Guinness_Bread.scr
> C:\WINDOWS\mms_movienight_PC.scr
> ...


I've erased them all, the ones I dled, and the ones I don't recall dling.

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

Just a post to let you know that I will be away from my pc until Monday. Have a great weekend!

Eric M


----------



## Cookiegal (Aug 27, 2003)

Do you have another computer you can try the mouse on to see if it does the same thing? Or try another mouse on this one?


----------



## AbsentMindedProf (Aug 11, 2006)

I did try using the old two button mouse from my old Dell pc and had the same problems.

Btw, my firewall is now telling me that it is blocking two trojans; Striker and Phinneas Phucker[sic].

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 6:36:39 PM, on 9/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Downloads\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Arovax Shield] "C:\Program Files\Arovax Shield\ArovaxShield.exe" -tray
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ABSENT~1\LOCALS~1\Temp\{BF1EEA46-53C3-4929-BDA2-AFA1C8FA8EE8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Filseclab Messenger.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1EAFB28B-CAA8-47E4-8DEC-968B06FA1D19} (InstallerAX Class) - http://foxmovies.a.content.maven.net/mvms/vfs/fox/foxmovies/live/install/installerAX.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121164709156
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133550979671
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: maven-8110 - {4F024AF2-3C77-4A18-9910-87E5DDC7B0D5} - C:\Program Files\foxmovies (2)\bin\bin-0\protocolHandler.dll
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Eric M


----------



## AbsentMindedProf (Aug 11, 2006)

Here is a log of a scan I ran with the demo version of Spyware Doctor:

Spyware Doctor Activity Report
Generated on 9/4/2006 8:23:56 PM Spyware Doctor Homepage PCTools Homepage Technical Support 


Scans (basic information only): 

Scan Results:
scan start: 9/4/2006 8:24:06 PM 
scan stop: 9/4/2006 8:30:25 PM 
scanned items: 199420 
found items: 170 
found and ignored: 0 
tools used: General Scanner, Process Scanner, LSP Scanner, Registry Scanner, Cookie Scanner, Browser Scanner, Disk Scanner 



Infection Name Location Risk 
WildTangent multiple Medium 
FUNWEBPRODUCTS HKCU\Software\FunWebProducts Medium 
IEPlugin HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchUrl Medium 
Joltid P2P Networking HKCR\JCDE_Stack Elevated 
Joltid P2P Networking HKCR\JCDE_Stack.1 Elevated 
My Way HKCR\clsid\{0494D0DE-F8E0-41AD-92A3-14154ECE70AC} Elevated 
WildTangent HKCR\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance\{ECFBE6E0-1AC8-11D4-8501-00A0CC5D1F63} Medium 
WildTangent HKCR\clsid\{0c097121-c5d6-47eb-841d-30bff71a71c4} Medium 
WildTangent HKCR\clsid\{65e7db1d-0101-4100-bd66-c5c78c917f93} Medium 
WildTangent HKCR\clsid\{7f23e6e5-0e79-4aee-b723-b1463805d5a9} Medium 
WildTangent HKCR\clsid\{8ecf83a0-1ac9-11d4-8501-00a0cc5d1f63} Medium 
WildTangent HKCR\clsid\{a62fa99e-922e-4eca-a1d9-b54ef294a3cc} Medium 
WildTangent HKCR\clsid\{ab29a544-d6b4-4e36-a1f8-d3e34fc7b00a} Medium 
WildTangent HKCR\clsid\{b9ba256a-075b-49ea-b9e2-7dbc2ef021d5} Medium 
WildTangent HKCR\clsid\{ecfbe6e0-1ac8-11d4-8501-00a0cc5d1f63} Medium 
WildTangent HKCR\clsid\{fa13a9fa-ca9b-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{05ef74a5-e109-11d2-a566-444553540000} Medium 
WildTangent HKCR\interface\{0e7ae465-ee8d-11d2-a566-444553540000} Medium 
WildTangent HKCR\interface\{1113c0b6-5300-4d5d-b2d7-35c14b28341b} Medium 
WildTangent HKCR\interface\{111d8b01-96c5-46dd-94d1-c6e8b1f69f44} Medium 
WildTangent HKCR\interface\{16410859-886f-4579-bc1f-330a139d0f0f} Medium 
WildTangent HKCR\interface\{1fad572e-1a3d-44d9-9c23-a87f922da8c0} Medium 
WildTangent HKCR\interface\{35ed7dfb-a8ed-4216-a4bb-bc08c326ef08} Medium 
WildTangent HKCR\interface\{399a8818-2000-436c-9a55-0016e5e3d227} Medium 
WildTangent HKCR\interface\{3f44b498-8fd4-4a1e-852c-170156ed27c0} Medium 
WildTangent HKCR\interface\{52889e01-cb46-11d2-96bc-00104b242e64} Medium 
WildTangent HKCR\interface\{5c49cbd2-8ed7-439b-8668-32149f84a235} Medium 
WildTangent HKCR\interface\{5dd15c3e-fc35-4e6f-b34c-e030d6439469} Medium 
WildTangent HKCR\interface\{6e6cf8e5-d795-11d2-a566-444553540000} Medium 
WildTangent HKCR\interface\{79884200-3ade-11d3-ac39-00105a2057fa} Medium 
WildTangent HKCR\interface\{810e95c2-f908-4e02-9b28-b92c3a778d0d} Medium 
WildTangent HKCR\interface\{8db2bc32-56e9-4349-b125-cb2561a06626} Medium 
WildTangent HKCR\interface\{a73f5102-3782-4945-bf97-889f9b6dc9a5} Medium 
WildTangent HKCR\interface\{aa0c96f9-a994-42d7-9543-842cf85e1ba7} Medium 
WildTangent HKCR\interface\{b57613b6-ef02-4d96-99c6-70c9a2014a14} Medium 
WildTangent HKCR\interface\{bdb9b021-caff-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{bdb9b022-caff-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{c1da7ab8-54fc-4971-9afb-1bcb9afc3aa2} Medium 
WildTangent HKCR\interface\{c3a156d4-503f-4779-a673-657308d94faf} Medium 
WildTangent HKCR\interface\{d72ac8e7-f41d-11d2-a566-444553540000} Medium 
WildTangent HKCR\interface\{d8e9ccf6-8e64-4e39-95ce-c5333fcfbd1f} Medium 
WildTangent HKCR\interface\{de3e540a-f0f2-4761-99be-afc6dc427e30} Medium 
WildTangent HKCR\interface\{ea6f254d-1a8c-4518-8fe0-e9b94fd134ed} Medium 
WildTangent HKCR\interface\{ec914a5c-7c4b-4ac8-8c86-c10ff5c0d23d} Medium 
WildTangent HKCR\interface\{f10493c1-d0b6-11d2-a566-444553540000} Medium 
WildTangent HKCR\interface\{fa13aa3a-ca9b-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{fa13aa3e-ca9b-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{fa13aa40-ca9b-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{fa13aa44-ca9b-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{fa13aa46-ca9b-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{fa13aa50-ca9b-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{fa13aafa-ca9b-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\interface\{feca7cfa-1083-4073-a98a-cf3389fcaf6a} Medium 
WildTangent HKCR\logger.logsession Medium 
WildTangent HKCR\logger.logsession.1 Medium 
WildTangent HKCR\typelib\{11066f62-0388-458c-b7e7-47e824894f20} Medium 
WildTangent HKCR\typelib\{7946205b-fef7-494f-a64b-3e992a780866} Medium 
WildTangent HKCR\typelib\{b162d478-ef46-4475-b1fe-216bdedb7fad} Medium 
WildTangent HKCR\typelib\{b7e20302-c22c-4af2-9d75-c3eb6eee9dd8} Medium 
WildTangent HKCR\typelib\{fa13aa2e-ca9b-11d2-9780-00104b242ea3} Medium 
WildTangent HKCR\wdmhhost.wthoster Medium 
WildTangent HKCR\wdmhhost.wthoster.1 Medium 
WildTangent HKCR\wt.wtmultiplayer Medium 
WildTangent HKCR\wt.wtmultiplayer.1 Medium 
WildTangent HKCR\wt3d.wt Medium 
WildTangent HKCR\wt3d.wt.1 Medium 
WildTangent HKCR\wtdmmpv.wtdmmpversion Medium 
WildTangent HKCR\wtdmmpv.wtdmmpversion.1 Medium 
WildTangent HKCR\wtvis.wtvisreceiver Medium 
WildTangent HKCR\wtvis.wtvisreceiver.1 Medium 
WildTangent HKCR\wtvis.wtvissender Medium 
WildTangent HKCR\wtvis.wtvissender.1 Medium 
WildTangent HKCU\Software\WildTangent Medium 
WildTangent HKLM\software\wildtangent Medium 
WildTangent HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WildTangent CDA Medium 
Zestyfind (Unknown Hijacker) HKCR\clsid\{0494d0de-f8e0-41ad-92a3-14154ece70ac} Medium 
My Way {0494D0DE-F8E0-41AD-92A3-14154ECE70AC} Elevated 
WildTangent {0c097121-c5d6-47eb-841d-30bff71a71c4} Medium 
WildTangent {65e7db1d-0101-4100-bd66-c5c78c917f93} Medium 
WildTangent {7f23e6e5-0e79-4aee-b723-b1463805d5a9} Medium 
WildTangent {8ecf83a0-1ac9-11d4-8501-00a0cc5d1f63} Medium 
WildTangent {a62fa99e-922e-4eca-a1d9-b54ef294a3cc} Medium 
WildTangent {ab29a544-d6b4-4e36-a1f8-d3e34fc7b00a} Medium 
WildTangent {b9ba256a-075b-49ea-b9e2-7dbc2ef021d5} Medium 
WildTangent {ecfbe6e0-1ac8-11d4-8501-00a0cc5d1f63} Medium 
WildTangent {fa13a9fa-ca9b-11d2-9780-00104b242ea3} Medium 
Zestyfind (Unknown Hijacker) {0494d0de-f8e0-41ad-92a3-14154ece70ac} Medium 
WildTangent C:\Program Files\Java\j2re1.4.2_03\bin\jdriver.dll Medium 
WildTangent C:\Program Files\Java\j2re1.4.2_03\bin\jDRM0302.dll Medium 
WildTangent C:\Program Files\Java\j2re1.4.2_03\bin\wtdmmp.dll Medium 
WildTangent C:\Program Files\Java\j2re1.4.2_03\bin\wtdmmpv.dll Medium 
WildTangent C:\Program Files\Java\j2re1.4.2_03\lib\ext\DRM0302java.jar Medium 
WildTangent C:\Program Files\Java\j2re1.4.2_03\lib\ext\wildtangent.jar Medium 
WildTangent C:\Program Files\Java\j2re1.4.2_03\lib\ext\wtdmmpi.jar Medium 
WildTangent C:\Program Files\WildTangent\Apps\CDA\CDAEngine0400.dll Medium 
WildTangent C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe Medium 
WildTangent C:\Program Files\WildTangent\Apps\CDA\wt.ico Medium 
WildTangent C:\Program Files\WildTangent\Apps\DRM0302.dll Medium 
WildTangent C:\Program Files\WildTangent\Apps\DRM0302java.jar Medium 
WildTangent C:\Program Files\WildTangent\Apps\rDRM0302.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtCache0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtDownloader0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtIO0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtKernel0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtLua0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtNetworking0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtPropertyBag0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtScript0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtSerialization0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtStreamProcessing0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtSystem0200.dll Medium 
WildTangent C:\Program Files\WildTangent\Components\wtXml0200.dll Medium 
WildTangent C:\WINDOWS\Downloaded Program Files\wtinst.inf Medium 
WildTangent C:\WINDOWS\wt\data.wts Medium 
WildTangent C:\WINDOWS\wt\updater\wcmdmgrl.exe Medium 
WildTangent C:\WINDOWS\wt\updater\wt.ini Medium 
WildTangent C:\WINDOWS\wt\webdriver.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\actorobject.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\dx5drv.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\dx7drv.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\objectbundle.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\sound.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\wdcaps.ded Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\wdengine.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\webdriver.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\wthost.exe Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\wthostctl.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\wtmulti.jar Medium 
WildTangent C:\WINDOWS\wt\webdriver\4.1.1\wtwmplug.ini Medium 
WildTangent C:\WINDOWS\wt\webdriver\jdriver.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\rdriver.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\wildtangent.jar Medium 
WildTangent C:\WINDOWS\wt\webdriver\wtdmmp.dll Medium 
WildTangent C:\WINDOWS\wt\webdriver\wtdmmpi.jar Medium 
WildTangent C:\WINDOWS\wt\webdriver\wtdmmpv.dll Medium 
WildTangent C:\WINDOWS\wt\wt3d.dll Medium 
WildTangent C:\WINDOWS\wt\wt3d.ini Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\actorobject.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\dx5drv.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\dx7drv.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\jdriver.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\legacy\webdriver.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\legacy\wt3d.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\npWTHost.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\ObjectBundle.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\rdriver.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\Sound.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wdcaps.ded Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wdengine.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\webdriver.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wt3d.ini Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\WTHost.exe Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\WTHostCtl.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtmulti.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtvh.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\Webd\4.1.1\files\wtwmplug.ini Medium 
WildTangent C:\WINDOWS\wt\wtvh.dll Medium 
WildTangent C:\Program Files\Java\jre1.5.0_02\lib\ext\wildtangent.jar Medium 
WildTangent C:\Program Files\Java\jre1.5.0_02\lib\ext\wtdmmpi.jar Medium 
My Way C:\RECYCLER\S-1-5-21-3588848991-3528696865-2937950479-500\Dc1.CLASS Elevated 
WildTangent C:\WINDOWS\wt\updater\wcmdmgr.exe Medium 
WildTangent C:\WINDOWS\wt\wtupdates\DMMP\3.0.2.000\files\wtdmmp.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\DMMP\3.0.2.000\files\wtdmmpi.jar Medium 
WildTangent C:\WINDOWS\wt\wtupdates\DMMP\3.0.2.000\files\wtdmmpv.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\DRM0302.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\jDRM0302.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\DRM\3.2.0.19\files\rDRM0302.dll Medium 
WildTangent C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\nsIWTHostPlugin.xpt Medium 
WildTangent C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wildtangent.jar Medium 


Other Sections:








Copyright (C) 2003-2004 PCTools Pty Ltd Legal Notice 


Perhaps this might have a clue as to the problem. (I hope!)

Eric M


----------



## Cookiegal (Aug 27, 2003)

I don't believe you ever posted this information. Perhaps you forgot it?

Open HijackThis and click on the "Open the Misc Tools Section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


I will get back to the Spyware Doctor log after I see the above report.


----------



## AbsentMindedProf (Aug 11, 2006)

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.7
Adobe Shockwave Player
AdwareX Eliminator
Age of Empires III
Agere Systems PCI Soft Modem
Aluria Protection Toolbar
Arovax Shield 1.3.15
Barbarian Invasion
CCScore
Civ3 Conquests v1.22 Full
Civilization III
Civilization III - Play the World v1.27F
Compaq Connections
Compaq Instant Support
Compaq Organize
CoreVorbis Audio Decoder (remove only)
Creative DVD Audio Plugin for Audigy Series
Cult
DirectX Media Runtime 5.2b
DivX
DivX Converter
DivX Converter
DivX Player
Easy Internet Sign-up
Eraser
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
ewido anti-spyware 4.0
FATE from Yahoo! (remove only)
File Recover 5.0
Filseclab Personal Firewall
Fox Movies
FreeUndelete
Geek Superhero
GetRight
Google Pack Screensaver
Google Updater
HAL
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
HLPIndex
HLPRFO
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Format SDK (KB910998)
Hotfix for Windows XP (KB896344)
hp deskjet 3600
hp deskjet 3600 series
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
ImageForge version 3.60
Internet Explorer Q903235
InterVideo WinDVD 5
InterVideo WinDVD Creator 2
iWheelWorks V7.64
J2SE Runtime Environment 5.0 Update 6
Keyhole 2 LT
Kodak EasyShare software
KSU
LeadTool
Macromedia Flash Player 8
Mad Caps
Maven
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office Standard Edition 2003
Microsoft Plus! Digital Media Edition
Microsoft Works 7.0
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
MSN
MSN Messenger 6.2
MSN Music Assistant
MSXML4 Parser
NoAdware v3.0
Notifier
OTtBP
OTtBPSDK
Panda ActiveScan
Panda ActiveScan Pro
Panda Antivirus 2007
PCDADDIN
PCDHELP
PCDrdsho
Personal License Update Wizard for Windows Media Player
PhotoShow LE
PIXresizer 1.0.8
Plus! MP3 Audio Converter LE
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken 2004
QuickTime
RealArcade
RealPlayer
Recover My Files
RoboWar 5 version 5.2.6
Rome - Total War
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
SeeMePlayMe Client
Seven Seas Deluxe 1.13
SFR
SFR2
SHASTA
SKIN0001
SKINXSDK
Spybot - Search & Destroy 1.3.1 TX
Spyware Doctor 3.0
SpywareBlaster v3.5.1
Steel Panthers World At War v8.20
Super SpongeBob Collapse!
T.H.U.G.S.
The Movies(TM)
The Movies(TM) Demo
TipTop Deluxe 1.1
Tradewinds Legends
TrueSwitch Wizard Verizon Yahoo
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
USB MassStorage CardReader
Verizon Online Help & Support
Verizon Yahoo! Applications
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
VPRINTOL
VX2 Cleaner plug-in for Ad-Aware SE
WildTangent Web Driver
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Bonus Pack for Windows XP
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
WIRELESS


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and uninstall these:

*AdwareX Eliminator *(http://www.spywarewarrior.com/rogue_anti-spyware.htm)
*Aluria Protection Toolbar *(http://www.castlecops.com/o23list-1335.html)
*Notifier
WildTangent Web Driver
MyWay
WildTangent
FunWebProducts
MyWebSearch*

Then run Spyware Doctor again and post its new log please.


----------



## AbsentMindedProf (Aug 11, 2006)

Spyware Doctor Activity Report
Generated on 06-09-05 16:26:59 Spyware Doctor Homepage PC Tools Homepage Technical Support 


Scans (basic information only): 

Scan Results:
scan start: 06-09-05 16:27:50 
scan stop: 06-09-05 16:28:15 
scanned items: 1422 
found items: 0 
found and ignored: 0 
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner 



Infection Name Location Risk 

Scan Results:
scan start: 06-09-05 16:28:43 
scan stop: 06-09-05 16:47:02 
scanned items: 254376 
found items: 22 
found and ignored: 0 
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner 



Infection Name Location Risk 
Common Components Unrelated C:\WINDOWS\Debug\DCPROMO.LOG Medium 
Joltid P2P Networking HKCR\JCDE_Stack Elevated 
Joltid P2P Networking HKCR\JCDE_Stack## Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CLSID Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CLSID## Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CurVer Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CurVer## Elevated 
Altnet Software HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Altnet Elevated 
Altnet Software HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Altnet## Elevated 
Altnet Software HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Altnet##Order Elevated 
Grokster HKCU\Software\Softwrap\Adtracker________ Medium 
Grokster HKCU\Software\Softwrap\Adtracker________## Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\BraveDwarves2 Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\BraveDwarves2## Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\BraveDwarves2##cookie Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\SeaWar Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\SeaWar## Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\SeaWar##cookie Medium 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK## Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##Changed Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##SlowInfoCache Elevated 


Other Sections:








Copyright © 2003 PC Tools Research Pty Ltd. All rights reserved. Legal Notice 



sigs 



Click to go back


----------



## Cookiegal (Aug 27, 2003)

Go to Control Panel - Add/Remove programs and remove these if there:

*Grokster
P2P Networking
Instafinder
*

Please download *Brute Force Uninstaller* to your desktop.
Right click the BFU folder on your desktop, and choose *Extract All*
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: or whatever your primary drive is) 
Click "Make New Folder"
Type in *BFU*
Click "Next", and *Un*check the "Show Extracted Files" box and then click "Finish".
*RIGHT-CLICK HERE* and choose "Save As" (in IE it's "Save Target As") in order to download Alcra *PLUS* Remover. 
*Save it in the same folder you made earlier (c:\BFU)*.

Do not do anything with this yet!

*Reboot your computer into Safe Mode.* You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
 Start the Brute Force Uninstaller by doubleclicking *BFU.exe*
 Behind the *scriptline to execute* field click the folder icon







and select *alcanshorty.bfu*
 Press *Execute* and let the program do its job. (You ought to see a progress bar if you did this correctly.)
Wait for the *complete script execution* box to pop up and press OK.
Press *exit* to terminate the BFU program.

While still in safe mode run Killbox on these files/folders:

*C:\ProgramFiles\INSTAFINK\instafink.dll 
C:\WINDOWS\Downloaded Program Files\instafin.dll 
C:\ProgramFiles\INSTAFIN\uninstall.exe*

Reboot into normal windows.

Rescan again with Spyware Doctor and post that report along with a new HijackThis log please.

*Reboot and post a new HijackThis log please.*


----------



## AbsentMindedProf (Aug 11, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 08:02, on 06-09-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Arovax Shield\ArovaxShield.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Mouse\Amoumain.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\Downloads\HijackThis.exe
C:\Program Files\HP\hpcoretech\soln\HPOSM.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Arovax Shield] "C:\Program Files\Arovax Shield\ArovaxShield.exe" -tray
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ABSENT~1\LOCALS~1\Temp\{BF1EEA46-53C3-4929-BDA2-AFA1C8FA8EE8}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [WheelMouse] Amoumain.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Filseclab Messenger.lnk = ?
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Bug Swatter Options - {99FEA1A2-7881-11D1-A9E2-00403320FCF2} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Popup Slapdown Options - {A1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Phishing Net Options - {B1100DDB-B277-4CAA-A640-B299D79FE25E} - C:\Program Files\Geek Superhero\GeekSuperheroX.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F05A225-0F66-43DE-89E4-6FFD589C4F01} (OC web Installer) - http://www.aebn.net/ws/DownloadCoach/dc5/files/objectCubeInstall.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121164709156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133550979671
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB0474CC-8EF6-47FC-905B-23FC58A70817} (RegPropsCtrl Class) - http://download.verizon.net/sfp/Cabs/hst/webinstall/HstWebInstall.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: maven-8110 - {4F024AF2-3C77-4A18-9910-87E5DDC7B0D5} - C:\Program Files\foxmovies (2)\bin\bin-0\protocolHandler.dll
O18 - Protocol: mavencache - {DB47FDC2-8C38-4413-9C78-D1A68BF24EED} - C:\Program Files\Maven\protocolHandlers.dll (file missing)
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\psimsvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Spyware Doctor Activity Report
Generated on 06-09-05 08:01:44 Spyware Doctor Homepage PC Tools Homepage Technical Support

Scans (basic information only):

Scan Results:
scan start: 06-09-05 08:07:00 
scan stop: 06-09-05 08:23:17 
scanned items: 241249 
found items: 22 
found and ignored: 0 
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner

Infection Name Location Risk 
Common Components Unrelated C:\WINDOWS\Debug\DCPROMO.LOG Medium 
Joltid P2P Networking HKCR\JCDE_Stack Elevated 
Joltid P2P Networking HKCR\JCDE_Stack## Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CLSID Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CLSID## Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CurVer Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CurVer## Elevated 
Altnet Software HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Altnet Elevated 
Altnet Software HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Altnet## Elevated 
Altnet Software HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Altnet##Order Elevated 
Grokster HKCU\Software\Softwrap\Adtracker________ Medium 
Grokster HKCU\Software\Softwrap\Adtracker________## Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\BraveDwarves2 Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\BraveDwarves2## Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\BraveDwarves2##cookie Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\SeaWar Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\SeaWar## Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\SeaWar##cookie Medium 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK## Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##Changed Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##SlowInfoCache Elevated

Other Sections:

Copyright © 2003 PC Tools Research Pty Ltd. All rights reserved. Legal Notice

sigs

Click to go back


----------



## Cookiegal (Aug 27, 2003)

Did you reboot after doing the fix and before running Spyware Doctor?


----------



## AbsentMindedProf (Aug 11, 2006)

Yes I did. Should I run it again?

Eric M


----------



## Cookiegal (Aug 27, 2003)

Yes please.


----------



## AbsentMindedProf (Aug 11, 2006)

Spyware Doctor Activity Report
Generated on 06-09-07 09:04:20 Spyware Doctor Homepage PC Tools Homepage Technical Support 


Scans (basic information only): 

Scan Results:
scan start: 06-09-07 09:19:22 
scan stop: 06-09-07 09:38:42 
scanned items: 259213 
found items: 22 
found and ignored: 0 
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner 



Infection Name Location Risk 
Common Components Unrelated C:\WINDOWS\Debug\DCPROMO.LOG Medium 
Joltid P2P Networking HKCR\JCDE_Stack Elevated 
Joltid P2P Networking HKCR\JCDE_Stack## Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CLSID Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CLSID## Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CurVer Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CurVer## Elevated 
Altnet Software HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Altnet Elevated 
Altnet Software HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Altnet## Elevated 
Altnet Software HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Altnet##Order Elevated 
Grokster HKCU\Software\Softwrap\Adtracker________ Medium 
Grokster HKCU\Software\Softwrap\Adtracker________## Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\BraveDwarves2 Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\BraveDwarves2## Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\BraveDwarves2##cookie Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\SeaWar Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\SeaWar## Medium 
Grokster HKCU\Software\Softwrap\Adtracker________\SeaWar##cookie Medium 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK## Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##Changed Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##SlowInfoCache Elevated 


Other Sections:








Copyright © 2003 PC Tools Research Pty Ltd. All rights reserved. Legal Notice 



sigs 



Click to go back


----------



## Cookiegal (Aug 27, 2003)

I'm attaching FixAbsent2.zip. Save it to your desktop. Unzip it and double click on the FixAbsent2.reg file and allow it to enter into the registry.

Reboot and post a new Spyware Doctor log please.


----------



## AbsentMindedProf (Aug 11, 2006)

Spyware Doctor Activity Report
Generated on 06-09-07 23:50:17 Spyware Doctor Homepage PC Tools Homepage Technical Support 


Scans (basic information only): 

Scan Results:
scan start: 06-09-07 23:54:37 
scan stop: 06-09-08 00:12:59 
scanned items: 242899 
found items: 5 
found and ignored: 0 
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner 



Infection Name Location Risk 
Common Components Unrelated C:\WINDOWS\Debug\DCPROMO.LOG Medium 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK## Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##Changed Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##SlowInfoCache Elevated 


Other Sections:








Copyright © 2003 PC Tools Research Pty Ltd. All rights reserved. Legal Notice 



sigs 



Click to go back


----------



## Cookiegal (Aug 27, 2003)

Go to Start - Run - type in regedit and click OK to open the registry editor.

Expand the following keys and sub-keys by click on the + sign to their left:

HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows
CurrentVersion
App Management
ARPCache


Right click the INSTAFINK key and select "export". Save it to your desktop and call it Instafink.reg. Right click on Instafink.reg and select "open with" and choose "Notepad". Copy and paste the contents of Notepad here please.


----------



## AbsentMindedProf (Aug 11, 2006)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla]

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox]

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\1.5 (en-US)]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\1.5 (en-US)\Uninstall]
"Description"="Mozilla Firefox (1.5)"
"Uninstall Log Folder"="C:\\Program Files\\Mozilla Firefox\\uninstall"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird 1.0.2]

Eric M


----------



## Cookiegal (Aug 27, 2003)

That doesn't look right at all. Are you sure that is an export of the Instafink key?


----------



## AbsentMindedProf (Aug 11, 2006)

I didn't see anything called the 'instafink key'. Where should it be? I used the export found on the 'file' pull down menu.

Eric M


----------



## Cookiegal (Aug 27, 2003)

You were to right click the INSTAFINK key and select "export" after expanding all of these:

HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows
CurrentVersion
App Management
ARPCache


So it should be listed under ARPCache (they are in alphabetical order).


----------



## AbsentMindedProf (Aug 11, 2006)

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,c0,09,00,00,00,00,00,20,f7,7c,\
61,22,07,c6,01,00,00,00,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,\
61,00,6d,00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,49,00,4e,00,53,00,54,\
00,41,00,46,00,49,00,4e,00,4b,00,5c,00,49,00,6e,00,73,00,74,00,61,00,46,00,\
69,00,6e,00,64,00,65,00,72,00,4b,00,5f,00,69,00,6e,00,73,00,74,00,2e,00,65,\
00,78,00,65,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00
"Changed"=dword:00000000


----------



## AbsentMindedProf (Aug 11, 2006)

Things have now gone from bad to worse. Now when I try to regain control of the cursor, either by going into standby mode and out, moving the mouse around rapidly, or restarting the pc, I only regain control for a few seconds to a minute. Also the cursor is now moving the taskbar to the top of the monitor screen as well as to the sides. 

Eric M


----------



## Cookiegal (Aug 27, 2003)

Right click on the INSTAFINK key an delete it but *be careful not to delete ARP Cache! key*

Reboot and post a new HijackThis log along with another scan log by Spyware Doctor please.


----------



## AbsentMindedProf (Aug 11, 2006)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<XSL:STYLESHEET xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
version="1.0"><XSL:OUTPUT method="html"></XSL:OUTPUT>Spyware Doctor Report





*Spyware Doctor Activity Report
Generated on 
06-09-13 13:51:06*

Spyware 
Doctor HomepagePC Tools 
HomepageTechnical 
Support

 


Scans (basic information only):

*Scan 
Results:*



scan start:06-09-13 13:53:38scan stop:06-09-13 14:12:29scanned items:241143found items:1found and ignored:0tools used:<TOOLSLIST>General Scanner, 
Process Scanner, LSP Scanner, Startup Scanner, 
Registry Scanner, Hosts Scanner, Browser 
Scanner, Browser Activity Scanner, Disk Scanner, 
ActiveX 
Scanner</TOOLSLIST>


 
*Infection Name**Location**Risk*Common Components UnrelatedC:\WINDOWS\Debug\DCPROMO.LOGMedium

Other Sections:








 
Copyright © 2003 PC Tools Research Pty Ltd. All rights 
reserved.Legal 
Notice







sigsClick 
to go back


</XSL:STYLESHEET>


----------



## Cookiegal (Aug 27, 2003)

Please run Spyware Doctor again. That came out as a bunch of jibberish.


----------



## AbsentMindedProf (Aug 11, 2006)

Spyware Doctor Activity Report
Generated on 06-09-13 18:58:56 Spyware Doctor Homepage PC Tools Homepage Technical Support 


Scans (basic information only): 

Scan Results:
scan start: 06-09-13 19:10:12 
scan stop: 06-09-13 19:28:14 
scanned items: 241205 
found items: 1 
found and ignored: 0 
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner 



Infection Name Location Risk 
Common Components Unrelated C:\WINDOWS\Debug\DCPROMO.LOG Medium 


Other Sections:








Copyright © 2003 PC Tools Research Pty Ltd. All rights reserved. Legal Notice 



sigs 



Click to go back


----------



## Cookiegal (Aug 27, 2003)

That's much better than the previous scans.

Boot to safe mode and locate and delete this file:

C:\WINDOWS\Debug\*DCPROMO.*LOG

How are things running now?


----------



## AbsentMindedProf (Aug 11, 2006)

I'm still losing control of the cursor. 

Eric M


----------



## Cookiegal (Aug 27, 2003)

I know you ran this on-line scanner before but didn't post the log so please do this:

Please go *HERE* to run Panda's ActiveScan
Once you are on the Panda site click the *Scan your PC* button
A new window will open...click the *Check Now* button
Enter your *Country*
Enter your *State/Province*
Enter your *e-mail address* and click *send*
Select either *Home User* or *Company*
Click the big *Scan Now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on *My Computer* to start the scan
When the scan completes, if anything malicious is detected, click the *See Report* button, *then Save Report* and save it to a convenient location. Post the contents of the ActiveScan report


----------



## AbsentMindedProf (Aug 11, 2006)

My pc may just be fixed this time! I bought a new ps/2 mechanical mouse at Radio Shack, uninstalled the resident drivers, then installed the drivers from the new mouse' disk. Now the mouse seems to be working just fine. (I've run Panda ActiveScanPro, and it comes up empty.) Keep your fingers crossed. I'll post tomorrow morning and let you know if things are still hunky dorey.

Thank-you again for all the help!

Eric M


----------



## Cookiegal (Aug 27, 2003)

Thanks. I was sure it was the mouse. Keep me posted. :up:


----------

