Author Topic: Bloodhound (Read 1463 times)

Heather · « **on:** April 23, 2006, 07:19:27 PM »

Hi, sure hope someone can help,
I am currently running in safe mode because I cannot boot in regular mode I get an error message of application failure with a code of (0cx0000022)
here's what happened, I was running norton 2004 system works and firewall, and webroot spysweeper fine but figured they were both outdated and should have newer protection.
At Staples the comp guy suggested Mccaffey instead, said he cleaned out more stuff with it so I bought it (STUPID!!!) I planned on downloading the current spysweeper online.
Came home and disconnected dsl, uninstalled norton, uninstalled webroot (not sure why, guess I figured possible conflict or something?) installed Mccaffey re-installed webroot and went online to get the current webroot. Immediatly was hit with a blue screen saying spyware is outdated and to click link to download solution, also had windows balloon poping up from toolbar every 5 seconds telling me to click to solve problem. I noticed a new button on toolbar that wasn't there before and immediatly thought all of it was spyware. I attempted to go online to get latest webroot for solution but was locked out of IE. I was able to get on thru MSN and download new version. Ran it and it cleared 8 items however I still couldn't get my display back, totally locked out of display functions.
I disconnected from dsl again, uninstalled Mccaffey, re-installed Norton system works, and in the process it picked up "bloodhound.W32.EP" located in the C:\Windows\system32\wininet.dll
I chose yes to remove, it completed installation and asked to re-boot, I did, it gave error message to the effect that item could not be accessed to be removed and proceeded to re-boot. I tried to log on to my screen (the only one) and got error message cited above(application failure)
I contacted Windows support and spent 2 hours following instructions and trying different solutions, ie, permissions, xp scan with installation disk, and several other things I barely remember. anyway, the guy at windows said he cannot help me remove bloodhound till I have my desktop back and I cannot get desktop back till the freakin bloodhound is gone.
so my questions are, can you help?
can I safely run hijack in safe mode?
am I totally screwed?
thanks for being willing to read this far.
Heather

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #1 on:** April 23, 2006, 08:31:41 PM »

Please download [color=\"red\"]SmitfraudFix[/color][/url] (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the contents of that report into your next reply.

Heather · « **Reply #2 on:** April 23, 2006, 08:58:49 PM »

I downloaded as directed, when I tried to open it to run this is the message I got
C:\WINDOWS\system32\cmd.exe
SmitFraudFix v2.34
Fichier Process.exe absent!
Process.exe file missing! unzip all the archive in a folder.
Press any key to continue

at this point I press a key and the window disappears

hold up, stupid me didn't extract the folder at first, please stand by

ok, here it is, btw, thanks a million for being here

SmitFraudFix v2.34

Scan done at 18:57:19.40, Sun 04/23/2006
Run from C:\Documents and Settings\Heather\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\country.exe FOUND !
C:\kl1.exe FOUND !
C:\ms1.exe FOUND !
C:\tool1.exe FOUND !
C:\tool3.exe FOUND !
C:\tool4.exe FOUND !
C:\tool5.exe FOUND !
C:\toolbar.exe FOUND !
C:\uniq FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\paytime.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Heather\Application Data

C:\Documents and Settings\Heather\Application Data\Install.dat FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\heather\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\paytime.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

C:\WINDOWS\system32\wininet.dll infected !

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup

Volume in drive C has no label.
Volume Serial Number is E0AF-89FE

Directory of C:\WINDOWS\$hf_mig$\KB834707\SP2QFE

09/29/2004 11:27 AM 656,896 wininet.dll
1 File(s) 656,896 bytes

Directory of C:\WINDOWS\$hf_mig$\KB867282\SP2QFE

01/27/2005 10:08 AM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE

05/02/2005 01:57 PM 658,944 wininet.dll
1 File(s) 658,944 bytes

Directory of C:\WINDOWS\$hf_mig$\KB890923\SP2QFE

03/10/2005 12:43 AM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896688\SP2QFE

09/02/2005 04:53 PM 660,480 wininet.dll
1 File(s) 660,480 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896727\SP2QFE

07/02/2005 07:09 PM 659,456 wininet.dll
1 File(s) 659,456 bytes

Directory of C:\WINDOWS\$hf_mig$\KB905915\SP2QFE

10/20/2005 08:38 PM 661,504 wininet.dll
1 File(s) 661,504 bytes

Directory of C:\WINDOWS\$hf_mig$\KB912812\SP2QFE

03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/23/2004 08:32 PM 589,312 wininet.dll
1 File(s) 589,312 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 12:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2gdr

03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2qfe

03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\SYSTEM32

03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes

»»»»»»»»»»»»»»»»»»»»»»»» End

guestolo · « **Reply #3 on:** April 23, 2006, 09:06:25 PM »

Inside the Smitfraudfix folder should be 7 files

reboot.exe
restart.exe
SmitfraudFix.Cmd
SrchSTS.exe
swreg.exe
swsc.exe
Process.exe

If one of those are missing it won't work correctly
Take a look inside the folder
Note: if your AV is pegging it as a bad guy it may be removing the file
It is not malware, allow this file, don't remove process.exe

EDIT>>I see you figured it out
I'll be back with more instructions in a bit
Let me look over the files

Quote

I contacted Windows support and spent 2 hours following instructions and trying different solutions, ie, permissions, xp scan with installation disk, and several other things I barely remember. anyway, the guy at windows said he cannot help me remove bloodhound till I have my desktop back and I cannot get desktop back till the freakin bloodhound is gone.

Don't worry about contacting if we get your desktop back
We should get you clean if everything goes alright

In SAFE MODE
open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

If the tools requires you too reboot, please reboot back to Normal mode

Please post the contents of the SmitfraudFix log located at C:\rapport.txt
and a Hijackthis log

Heather · « **Reply #4 on:** April 23, 2006, 09:20:05 PM »

ok it went so far as the regristry cleaning option and I did y enter as instructed, the desktop (in safe mode) went away but nothing else is happening
don't know how long this part should take

guestolo · « **Reply #5 on:** April 23, 2006, 09:26:02 PM »

Can you attempt to reboot into Normal mode
and post the logs

When you were doing the cleaning instructions with SmitfraudFix did you have all browser windows closed on the machine?
It's a must!

Heather · « **Reply #6 on:** April 23, 2006, 11:22:59 PM »

sorry, had to step away,
I did run it again with browser windows closed, same result
I tried to re-boot in normal mode, same error
it reads Application Failed to initialize properly (0cx0000022) click on ok to terminate
there were no logs with the fraudfix other than the first one

ran search again here are the results

SmitFraudFix v2.34

Scan done at 21:18:17.59, Sun 04/23/2006
Run from C:\Documents and Settings\Heather\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Heather\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\heather\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

C:\WINDOWS\system32\wininet.dll infected !

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup

Volume in drive C has no label.
Volume Serial Number is E0AF-89FE

Directory of C:\WINDOWS\$hf_mig$\KB834707\SP2QFE

09/29/2004 11:27 AM 656,896 wininet.dll
1 File(s) 656,896 bytes

Directory of C:\WINDOWS\$hf_mig$\KB867282\SP2QFE

01/27/2005 10:08 AM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE

05/02/2005 01:57 PM 658,944 wininet.dll
1 File(s) 658,944 bytes

Directory of C:\WINDOWS\$hf_mig$\KB890923\SP2QFE

03/10/2005 12:43 AM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896688\SP2QFE

09/02/2005 04:53 PM 660,480 wininet.dll
1 File(s) 660,480 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896727\SP2QFE

07/02/2005 07:09 PM 659,456 wininet.dll
1 File(s) 659,456 bytes

Directory of C:\WINDOWS\$hf_mig$\KB905915\SP2QFE

10/20/2005 08:38 PM 661,504 wininet.dll
1 File(s) 661,504 bytes

Directory of C:\WINDOWS\$hf_mig$\KB912812\SP2QFE

03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/23/2004 08:32 PM 589,312 wininet.dll
1 File(s) 589,312 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 12:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2gdr

03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2qfe

03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\SYSTEM32

03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes

»»»»»»»»»»»»»»»»»»»»»»»» End

guestolo · « **Reply #7 on:** April 23, 2006, 11:23:41 PM »

OK, I need to see some logs
EDIT>>I see you posted the updated log
I want you to try the below fix
Then we'll see what things look like

Let's try the following
Download [color=\"#3333FF\"]smitRem.exe[/color] ©noahdfear, and save the file to your desktop.
Double-click on the smitRem.exe file to extract it to it's own folder on the desktop.

In safe mode
================================================

Open the SmitRem folder located on the desktop

Double-click on the RunThis.bat file, as shown by the arrow in the image above, to start the tool.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
I'll need to see it later

Reboot back to Normal mode
Does that help you out?

Post the following
Whether it is from normal or safe mode
1. Post a fresh hijackthis log
2. Post the log created from Smitrem>>C:\Smitfiles.txt

Are you sure that SmitfraudFix didn't produce a log
When your looking for the Smitfiles.txt
Also look for the rapport.txt in the C:\folder

Open MyComputer and double click to open C: drive

Heather · « **Reply #8 on:** April 23, 2006, 11:30:01 PM »

would you kindly re post the website, I seem to be having trouble getting there

guestolo · « **Reply #9 on:** April 23, 2006, 11:30:55 PM »

I reposted in my last reply, see if that helps
If not post back please

Heather · « **Reply #10 on:** April 23, 2006, 11:37:56 PM »

got it in, got the self extractor to open however there is no folder on the desktop only the self extracting archive

it seems as though I can choose the option from the menu in the archive

guestolo · « **Reply #11 on:** April 23, 2006, 11:38:30 PM »

Double click on SmitRem.exe
and when you get to the Self Extracting Archive
Click START to extract the folder to desktop

EDIT>>>You MUST have all the files extracted to that folder for the fix too work
DO NOT assume you can run RunThis.bat by itself

Heather · « **Reply #12 on:** April 23, 2006, 11:56:04 PM »

ok, I'm back I am in normal mode (BLESS YOU!!!) I need to download and run the hijackthis to get you the log in the meantime here are the other logs requested

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 04/23/2006
The current time is: 21:43:42.93

Running from
C:\Documents and Settings\Heather\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1356 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

wininet.dll INFECTED!!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Starting replacement procedure.

~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~

~~~~ dllcache\wininet.dll not present! ~~~~

~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~

~~~~ C:\WINDOWS\$hf_mig$\KB890923\SP2QFE Present! ~~~~

~~~~ Checking KB890923\SP2QFE\wininet.dll for infection ~~~~

~~~~ KB890923\SP2QFE Clean! ~~~~

~~~ Replaced wininet.dll from KB890923\SP2QFE ~~~

~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!

~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!

~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~

~~~~ C:\WINDOWS\system32\wininet.dll Clean!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' /> ~~~~

SmitFraudFix v2.34

Scan done at 21:18:17.59, Sun 04/23/2006
Run from C:\Documents and Settings\Heather\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Heather\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\heather\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"

[HKEY_CLASSES_ROOT\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_CLASSES_ROOT\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

C:\WINDOWS\system32\wininet.dll infected !

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup

Volume in drive C has no label.
Volume Serial Number is E0AF-89FE

Directory of C:\WINDOWS\$hf_mig$\KB834707\SP2QFE

09/29/2004 11:27 AM 656,896 wininet.dll
1 File(s) 656,896 bytes

Directory of C:\WINDOWS\$hf_mig$\KB867282\SP2QFE

01/27/2005 10:08 AM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\$hf_mig$\KB883939\SP2QFE

05/02/2005 01:57 PM 658,944 wininet.dll
1 File(s) 658,944 bytes

Directory of C:\WINDOWS\$hf_mig$\KB890923\SP2QFE

03/10/2005 12:43 AM 657,920 wininet.dll
1 File(s) 657,920 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896688\SP2QFE

09/02/2005 04:53 PM 660,480 wininet.dll
1 File(s) 660,480 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896727\SP2QFE

07/02/2005 07:09 PM 659,456 wininet.dll
1 File(s) 659,456 bytes

Directory of C:\WINDOWS\$hf_mig$\KB905915\SP2QFE

10/20/2005 08:38 PM 661,504 wininet.dll
1 File(s) 661,504 bytes

Directory of C:\WINDOWS\$hf_mig$\KB912812\SP2QFE

03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/23/2004 08:32 PM 589,312 wininet.dll
1 File(s) 589,312 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

08/04/2004 12:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2gdr

03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\deacd5ed46f67b73e81aaf6e4e9180ec\sp2qfe

03/03/2006 08:58 PM 663,552 wininet.dll
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\SYSTEM32

03/03/2006 08:33 PM 658,432 wininet.dll
1 File(s) 658,432 bytes

»»»»»»»»»»»»»»»»»»»»»»»» End

guestolo · « **Reply #13 on:** April 24, 2006, 12:02:39 AM »

Post the hijackthis log when you can, we still have some cleaning to do

Heather · « **Reply #14 on:** April 24, 2006, 12:02:50 AM »

Logfile of HijackThis v1.99.1
Scan saved at 10:00:42 PM, on 4/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

guestolo · « **Reply #15 on:** April 24, 2006, 12:39:21 AM »

Can you do the following to be sure that SpySweeper will not interfere please
Open SpySweeper
Click: Options (left side)
Go to: Program Options
Uncheck: Load at windows startup
Click: Shields (left side), and uncheck all there items
Uncheck: Home Page Shield
Uncheck: Atomatically Restore Default Without Notification

Close SpySweeper

==Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" UNCHECK

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work
Can you review the page to help with the Updater from this link
http://www.ewido.net/en/support/?AID=26

Reboot back to Safe mode
=Open Ewido anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
NOTE: When Ewido is running, don't open any other Windows

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode and post a fresh hijackthis log
Also post the whole report from Ewido's please
Let me know how everythings running

Do you plan on removing Norton's as it appears it's expired
and installing McAfee's?
Let me know that too, one problem is that Norton's was probably out of date
and instead of disinfecting wininet.dll, it deleted it

Heather · « **Reply #16 on:** April 24, 2006, 01:47:29 AM »

in spysweeper under shields there are 5 sub folders
IE shields (contains IE Favorites and IE security)
Host file shields
Windows system shields (containes memory, spy installation, active x, spy communication, ADS execution shield and Windows messenger service shield)
Start up shield [color=\"#FF0000\"]this one has a caution[/color]
Browser add on shield [color=\"#FF0000\"]this one has a caution[/color]

I don't see an option for "Atomatically Restore Default Without Notification"
I unchecked home page shield and a few others unchecked with it.
I unchecked load at windows startup

sorry to be dense, I just don't want to mess this up.
please advise further on spysweeper so that I may proceed to next steps.

as for Norton and Mcaffee, I figured I'd go agead and keep the norton and buy the update unless you have a better thought. The Mcaffee is only antivirus and I didn't seem to have any of these problems till I put it in.

guestolo · « **Reply #17 on:** April 24, 2006, 08:38:43 AM »

Can you carry on with the remainder of the instructions please

Heather · « **Reply #18 on:** April 24, 2006, 12:00:53 PM »

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         2:34:05 AM, 4/24/2006
+ Report-Checksum:      29406E07

+ Scan result:

   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@a-1shz2prbmdj6wvny-1sez2pra2dj6wjk4uoczchow-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1sdzieoqsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> TrackingCookie.Counted : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@com[2].txt -> TrackingCookie.Com : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@qksrv[1].txt -> TrackingCookie.Qksrv : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiulc5aaqqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4kiazsaqamdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4umczaaqaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkockcpmhqqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyajdjslqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyalajicpgqdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyemcpacpgidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkykkazcfoqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkysgcjmlqawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjl4cpc5mdoawdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlieiajwfpg6dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiohd5aeow6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmyond5mbpgidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyckdjagqqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycmdzcdpqydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyelcpkdogudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Application Data\Earthlink\6.0\[email protected]\Cookies\heather@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyogcpgfpgsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\heather@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\heather@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\heather@com[1].txt -> TrackingCookie.Com : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\heather@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\heather@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\[email protected][1].txt -> TrackingCookie.Tracking101 : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\heather@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
   C:\Documents and Settings\Heather\Cookies\[email protected][2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@a-1shz2prbmdj6wvny-1sez2pra2dj6wjkykgdjelqa-1dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> TrackingCookie.Masterstats : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@roispy[1].txt -> TrackingCookie.Roispy : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkisgdzkcow2dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiulc5aaqqudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkoanczcdqqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkysmc5cbpgsdj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyuocpiaoqidj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4wpd5egogidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkouhczsaqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyaicpihpqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyendpiepwudj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkygnczmaqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkykhdpsbowydj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkysmdpehpaudj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyujcjocpgwdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlickcjmlqq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlikhdjwhpw6dj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyckajefqq2dj6x9ny-1seq-2-2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycocjoepwsdj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygic5aaqqydj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Documents and Settings\Tim\Cookies\tim@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyshdzklpqidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
   C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll -> Trojan.Sinowal.k : Cleaned with backup
   C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe -> Trojan.Sinowal.k : Cleaned with backup
   C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.i : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119803.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119804.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119805.dll -> Trojan.Sinowal.i : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119806.dll -> Trojan.Sinowal.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119807.exe -> Trojan.Sinowal.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119808.exe -> Trojan.Sinowal.k : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119810.exe -> Trojan.Small.ev : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0119957.exe -> Trojan.Small.ev : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0120983.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735\A0120984.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737\A0142275.exe -> Trojan.Sinowal.k : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:00:42 PM, on 4/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.gamehouse.com/games/tumblebugs/axhost.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab\' target=\'_blank\' rel=\'nofollow\'>http://pdl.stream.Email Removed/downloads/aol/unagi/ampx_en_dl.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Heather · « **Reply #19 on:** April 24, 2006, 12:48:09 PM »

I'm seeing a new alert pop up from my toolbar, it looks like a windows generated item however i'm suspitious it says
Updating your computer is almost complete. You must restart your computer for
the updates to take effect.

Do you want to restart your computer now?

then options for restart now and restart later. I cannot exit it without hitting restart later and it won't fall behind any other pages.
the icon in the toolbar associated with it is a yellow shield with an exclamation point.
I will not restart, will wait for your next instructions

News:

Author Topic: Bloodhound (Read 1463 times)