0

Hi - I am trying to remove annoying IE pop-up pages from my niece's computer. They have 3 teenage children and I guess one of them visited a page that loaded this nasty to their computer. I have spent the last 2 days running all kinds of anti-virus/anti-malware/spyware programs to try and clear this up (as suggested by PhilliePhan). I have even disabled IE from the computer and the pages still pop-up. One program that shows up in the start-up (and I have disabled it in msconfig) is Part Okay.exe but I cannot remove it as it says that it is in use by another program and cannot be deleted.

The programs that I have run are:
ATF-Cleaner.exe by Atribune
Microsoft® Windows® Malicious Software Removal Tool
Malwarebytes' Anti-Malware (MBA-M)
ESET Online Scanner
Uninstall List from HiJack This

I did not do the Deckard's System Scanner as there was an advisory not to use it until there was a problem cleared up.

I am attaching the 4 logs which I have noted from the scans above.

Thank You for any help you can give me with this problem.
Ecila5200

:icon_redface: Sorry does it only take 3 attachments? Seems like I cannot upload the Hijack this log.

Attachments
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3517 (20081013)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=b4d2568baca9ec48802957007dae7a2c
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-10-13 04:01:28
# local_time=2008-10-13 01:31:28 (-03-30, Newfoundland Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=329930
# found=1
# scan_time=3671
C:\Documents and Settings\Acer\My Documents\LimeWire\Saved\Adele - Tired.mp3	a variant of WMA/TrojanDownloader.GetCodec.gen trojan	3B35E5CADDBB84E255FF8534F078A0ED
Malwarebytes' Anti-Malware 1.28
Database version: 1262
Windows 5.1.2600 Service Pack 3

10/13/2008 11:18:21 AM
mbam-log-2008-10-13 (11-18-21).txt

Scan type: Full Scan (C:\|)
Objects scanned: 115937
Time elapsed: 43 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{7C5CBB33-6F9E-419C-BB8E-12955CF2B2E6}\RP162\A0044167.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C5CBB33-6F9E-419C-BB8E-12955CF2B2E6}\RP162\A0044171.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C5CBB33-6F9E-419C-BB8E-12955CF2B2E6}\RP162\A0044173.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C5CBB33-6F9E-419C-BB8E-12955CF2B2E6}\RP162\A0044174.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C5CBB33-6F9E-419C-BB8E-12955CF2B2E6}\RP163\A0044296.DLL (Adware.AskSBAR) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{7C5CBB33-6F9E-419C-BB8E-12955CF2B2E6}\RP163\A0044396.dll (Adware.AskSBAR) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\3wGFJWhw.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dcK3t3gf.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
360Share Pro(remove only)
ABBYY FineReader 5.0 Sprint
Acrobat.com
Acrobat.com
Ad-Aware
Adobe Acrobat 5.0
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Reader 9
Adobe Shockwave Player
Agere Systems PCI Soft Modem
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Bonjour
Bookworm Deluxe 1.13
CCScore
Compatibility Pack for the 2007 Office system
Digital Photo Navigator 1.5
ESET Online Scanner
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
Express Burn
FaxTools
Google Earth
HijackThis 2.0.2
HLPPDOCK
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Huffyuv AVI lossless video codec (Remove Only)
HyperCam 2
Intel(R) Extreme Graphics 2 Driver
Interactive Reading Journey for Grades 1-2
iTunes
Java 2 Runtime Environment, SE v1.4.2_01
Java(TM) 6 Update 7
JumpStart Animal Adventures
kgcbaby
kgcbase
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KSU
Lexmark 3100 Series
Malwarebytes' Anti-Malware
Messenger Plus! Live & Sponsor (CiD)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Word Viewer 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MobileMe Control Panel
Mozilla Firefox (2.0.0.17)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NCH Toolbox
Notifier
NTI Backup NOW! 4
NTI CD & DVD-Maker
OfotoXMI
OTtBP
OTtBPSDK
PCI Audio Driver
Pivot Stickfigure Animator
QuickTime
Reader Rabbit presents Math Journey for Grades 1-3
Reader Rabbit's 2nd Grade
Registry Mechanic 8.0
Rogers Self Help Software 4053
Rogers Update Manager
Rogers Yahoo! Applications
Safari
Security Status
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
SFR
SHASTA
SKIN0001
SKINXSDK
Sothink FLV Player
Spybot - Search & Destroy
staticcr
Stuart Little 2 PC
Switch
The ClueFinders(R) Reading Adventures Ages 9-12
The Game Of Life
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
VPRINTOL
Windows Communication Foundation
Windows Imaging Component
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WIRELESS
2
Contributors
15
Replies
16
Views
9 Years
Discussion Span
Last Post by jholland1964
Featured Replies
0

Hi Ecila5200 and welcome to daniweb.
We will need to see an actual HiJackThis scan log not just their uninstall list so please do a full system scan and post that log also.
You said

They have 3 teenage children and I guess one of them visited a page that loaded this nasty to their computer.

Well we know absolutely where ONE of these trojans came from, P2P file sharing. That shows in the ESET Log. The infected file was an mp3 file, a downloaded music file, and Limewire, a P2P program was used to do so, though that program doesn't appear on the Uninstall list. It shows here in the ESET log;
C:\Documents and Settings\Acer\My Documents\LimeWire\Saved\Adele - Tired.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 3B35E5CADDBB84E255FF8534F078A0ED
That said, on the uninstall list I see 360Share Pro this IS a P2P file sharing program. This program should be removed from the computer.
While all I have found and read about this program the info "intimates" that it is legal to use this program to search for and download music. But I MUST state this;
The program itself is LEGAL BUT....in order to download music you must have PERMISSION to do so from the copyright owner. Having or paying for the software DOESN'T give you permission. If you are the copyright owner, meaning you wrote the music and/or are the artist, you can upload the songs on 360 Share Pro (or Limewire) and give permission to others to share your songs. Or you may want to share your home movies. These are examples of legal uses but the KEY word is OWNER gives permission. The OWNER of a piece of music is the the writer of the music or the performer of the song, NOT a person who owns a cd copy of the music. Sharing copyrighted material with another without PERMISSION of the person who OWNS the copyright is illegal.
You need to make these points clear to your niece:
The 'sharing' of copyrighted music is illegal, so the chances of you getting caught really shouldn't matter.
Simply having P2P software downloaded and installed doesn't constitute an illegal act in most countries. Instead, it's what you use such programs to download.

Now while those being mainly targeted are those that 'share' in bulk...hundred of downloads. Why? There are thousands, if not millions, of people committing piracy. Since they can't find and prosecute them all they go for the 'bigger fish' first.

No one is exempt from prosecution, however. They have gone after the 'little fish' as well to make that point...you commit a crime and you risk doing the time.

I say this because this is something that we here at daniweb and other forums that help clean computers do not condone this in anyway, in fact many forums refuse to help those who had their computers infected by known P2P file sharing. Thus far we are not refusing help here.
This computer we know absolutely that at least one of these infections came from P2P and if I were a betting person I would bet there is a good chance that this is where the others came into the computer too.
Another thing that I DO NOT see in the unistall list is an antivirus program or a firewall on the computer. Where are they?
Uninstall that 360Share Pro program, but do it in Safe Mode to be sure there isn't anything unneeded running in the background.
While you are in Add/Remove also uninstall this too...Java 2 Runtime Environment, SE v1.4.2_01. It is OLD and Unneeded.
Once you have uninstalled those two items then reboot to normal mode and run the HiJackThis full system scan, save the log and post it here.
Judy
And please copy/paste the logs do not attach them. This way we don't have to download a file from an infected computer.

0

OK Judy - I will not attach any more files. And my niece, being very computer "illiterate" paid for that piece of software thinking that it was a "legal" copy for her children to download songs. While reading your post I can see now that "none" of these sites would be "legal" to download from. I will inform her so that when the children want music to upload to the iPod she can purchase the music CD, then upload it. I know they have a great collection of music CD's so that isn't the problem. Thanks and I will get back to you shortly with HiJack This log.

Thanks again for your help,
Ecila

0

There is iPod music available on the internet at very legal sites. My grandchildren and daughter's all upload music to their iPods but they PAY for each song. It is not expensive, around $1.00 a song I believe.
Sorry that she paid for this program, from what I have read, that is a scam itself and the chance of getting your money back is very slim. Why is it scam? For the very reason you said your sister bought it... because she thought that it was then "legal" for her children to download all the music they wanted because she had paid the fee. But the thing is, P2P file sharing is "free" because whatever is being shared is pirated generally so she paid a fee to do something that is essentially free. It is dangerous of course because as you see, you can very well get a lot more than you bargained for, namely, an infected computer.

I found this interesting little note at the very bottom of the 360Share Pro website

The purchase of a membership, however, is not a license to upload or download copyrighted material. We urge you to respect copyright and share responsibly.

See, this is how they get around the legalities and it also probably releases them from having to return the fee charged. Each and every program which is included in this "membership" is FREE, there is no reason a person should have to pay, that doesn't make P2P legal or any better but they are charging people for essentially what are free programs to P2P.
Also note this from their FAQ pages;

If you are experiencing technical difficulties and would require support, our support team guarantees to solve your issue on first contact or your money back! Your membership is also backed by a full satisfaction guarantee.

Supposedly then you can get your money back IF you are experiencing technical difficulties with the 360Share Pro program, not because you downloaded something and ended up getting an infected computer.
I have no idea what this costs, could never find it on the website though I have seen references on other sites of $20 to $30. I think she should just take this as a lesson learned and be thankful it only cost that much. Hopefully we can get the computer cleaned out and she can choose to get her kids iPod music gift cards for downloading their music.

0

Thanks Judy, I will pass this along to her as she will be mortified when I tell her about this. Also if you can, will you e-mail me the sites where they can download "legally". Or post it to the thread if you prefer. I am working on removing the programs now so will contact you shortly with HiJack file.

Once again, Thanks
Ecila

0

Be sure not to do any fixes yet with the HJT full scan, just post the log.
I would advise your niece not download anything new right now, unless directed to do so here. She needs to have a clean computer before installing new programs, which would be needed to download the iPod music.
Judy

0

OK Judy, here is the HJT scan after I removed the programs mentioned earlier. Thanks for all your help !!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:46 AM, on 10/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\SecurityStatusSDK\SSDK02.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [OnlineCdrom] C:\DOCUME~1\Acer\APPLIC~1\ATOMDE~1\32third.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications - C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8405 bytes

0

Just a quick note that while I was running the HJT scan and posting here, 3 IE Windows popped up during this time. I had disabled IE earlier in my program options but enabled it to run the ESET Online Scanner. I think it may have something to do with Internet Explorer ???

Thanks again,
Ecila

0

Well I see several things here, first of all I see a PORTION of an old Norton program still running along with AVG 8. This is definitely a no-no. ONE antivirus program running on a computer is the rule. Run more than one at a time and you can actually lessen your protection.

You are going to have to search for this file, but first use Task Manager to turn it off.
The file is named SSDK02.exe so you will have to stop it from running and then do a search by clicking Start, Search, Files and Folders and search first for all things named Symantec. Once those are located delete them Then do the same things for Norton. If you find any of those delete them.

You also show Spybot TeaTimer running on the computer. This MUST BE turned off and KEEP IT TURNED OFF as it can interfere with fixes we many do with HiJackThis or other programs.
Open Spybot. Click Mode, choose Advanced. Then at the bottom choose Tools. When that opens you will see a row of buttons on the left. Click Resident. When Resident opens REMOVE the check mark from TeaTimer. Close the program.
Reboot.

Now there are several things showing in the log which must be removed. One is a LOP infection this is also evidenced by the program Messenger Plus! Live & Sponsor (CiD) showing in your Uninstall list.
You should remove this using Add/Remove.

Now I would also like you to UPDATE MBA-M. Run it again and have it fix or remove everything found.

Reboot the computer.

Run the ESET Scanner again and this time have it fix or remove everything found.
Reboot the computer. Remember you must turn off your AVG8 and run the scan with Internet Explorer.
Reboot the computer.

Run a new HiJackThis scan and post that log, along with the MBA-M log and the ESET Scanner log.

0

Hi Judy - here is the HJT scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:25 PM, on 10/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.local
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe"

/background
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"

/background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"

/background (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -

http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -

http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile

Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications -

C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications -

C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7829 bytes


THE MBA-M LOG SCAN

Malwarebytes' Anti-Malware 1.28
Database version: 1268
Windows 5.1.2600 Service Pack 3

10/14/2008 1:44:12 PM
mbam-log-2008-10-14 (13-44-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 109088
Time elapsed: 38 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

THE E-SET SCANNER LOG:

Runscanner logfile http://www.runscanner.net

* = signed file
- = file not found

General info
------------
Computer name : OEM-DV3949BSO4L
Creation time : 8/26/2008 3:48:20 PM
Hosts <> 127.0.0.1 : 0
Hosts file location : %SystemRoot%\System32\drivers\etc
IE version : 7.0.5730.13
OS : Microsoft Windows XP
OS Build : 2600
OS SP : Service Pack 2
RunScanner Version : 1.7.0.0
User Language : English (United States)
User rights : Administrator
Windows folder : C:\WINDOWS

Running processes
-----------------
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe ( )
* C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe (Lavasoft)
* C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc.)
* C:\WINDOWS\System32\alg.exe (Microsoft Corporation)
* C:\PROGRA~1\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
* C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
* C:\WINDOWS\system32\csrss.exe (Microsoft Corporation)
* C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation)
* C:\PROGRA~1\YAHOO!\YOP\yop.exe (Yahoo! Inc.)
* C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\system32\svchost.exe (Microsoft Corporation)
* C:\WINDOWS\System32\hkcmd.exe (Intel Corporation)
* C:\WINDOWS\System32\igfxtray.exe (Intel Corporation)
* C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
* C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
* C:\Program Files\iPod\bin\iPodService.exe (Apple Inc.)
* C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
* C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
* C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc.)
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe (Lexmark International, Inc.)
* C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe (Lexmark International, Inc.)
* C:\WINDOWS\system32\LEXPPS.EXE (Lexmark International, Inc.)
* C:\WINDOWS\system32\lsass.exe (Microsoft Corporation)
* C:\WINDOWS\Mixer.exe (C-Media Electronic Inc. (www.cmedia.com.tw))
* C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe (Rogers Cable Communications)
* C:\Program Files\Rogers\SelfHealing\shs.exe (Rogers Cable Communications Inc.)
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe (Rogers Cable Communications)
* C:\DOCUME~1\Acer\LOCALS~1\Temp\Temporary Directory 1 for runscanner.zip\RunScanner.exe (Runscanner.net)
* C:\Program Files\Common Files\Symantec Shared\SecurityStatusSDK\SSDK02.exe (Symantec Corporation)
* C:\WINDOWS\system32\services.exe (Microsoft Corporation)
* C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation)
* C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
* C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Microsoft Corporation)
* C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation)
* c:\windows\System32\smss.exe (Microsoft Corporation)
C:\PROGRA~1\YAHOO!\browser\ycommon.exe (Yahoo!, Inc.)

Unrated items
-------------
002 C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe (Lexmark International, Inc.)
002 C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe ( )
002 C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
002 * C:\Program Files\Rogers\SelfHealing\shs.exe (Rogers Cable Communications Inc.)
002 * C:\PROGRA~1\YAHOO!\YOP\yop.exe (Yahoo! Inc.)
003 C:\DOCUME~1\Acer\APPLIC~1\ATOMDE~1\32third.exe
004 C:\Documents and Settings\Acer\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe (Leader Technologies)
005 C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
010 * C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe (Rogers SHS Service)
010 C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe (Rogers Update Manager)
010 C:\WINDOWS\system32\YPCSER~1.EXE (YPCService)
011 C:\WINDOWS\System32\drivers\aspi32.sys (Aspi32)
011 * C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys (GEARAspiWDM)
011 C:\WINDOWS\System32\Drivers\PxHelp20.sys (PxHelp20)
011 C:\WINDOWS\system32\drivers\UBHelper.sys (UBHelper)
011 C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys (Upper Class Filter Driver)
052 GUID / CLSID not found {7E853D72-626A-48EC-A868-BA8D5E23E045}
061 C:\Program Files\Bonjour\ExplorerPlugin.dll (Apple Computer, Inc.) {9999A076-A9E2-4C99-8A2B-632FC9429223}
061 C:\WINDOWS\system32\FlashShl.dll ( ) {03FF3962-D823-11D4-97F0-009027769C61}
061 C:\WINDOWS\system32\SMSHELL.DLL (OnSpec Electronic Inc.,) {3c249f62-e26e-11d4-97f0-009027769c61}
061 * C:\Program Files\Yahoo!\Common\Ymmapi.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
073 A8013F17918AB5CB.job : c:\docume~1\conorm~1\applic~1\atomde~1\Delete copy bird.exe
073 BD332BF781BCA3EB.job : c:\docume~1\acer\applic~1\atomde~1\Delete copy bird.exe
100 ShellNext HKCU : http://windowsupdate.microsoft.com/
100 Start Page HKCU : http://rogers.yahoo.com
102 GUID / CLSID not found {32683183-48a0-441b-a342-7c2a440a9478}
104 * C:\WINDOWS\Downloaded Program Files\tgctlsr.dll (Symantec, Inc.) {44990301-3C9D-426D-81DF-AAB636FA4345}
104 GUID / CLSID not found {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
104 C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll (JavaSoft / Sun Microsystems, Inc.) {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA}
105 &Windows Live Search : res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
105 Add to Windows &Live Favorites : http://favorites.live.com/quickadd.aspx
105 E&xport to Microsoft Excel : res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
107 C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
170 {04d6d9e1-fa96-11dc-80fc-00016c3b7c46} : F:\LaunchU3.exe -a
170 {0d864e04-fdc5-11dc-b8cc-00016c2f4bd5} : G:\setupSNK.exe
173 * C:\Program Files\Yahoo!\Common\Ymmapi.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}
221 * C:\Program Files\Yahoo!\Common\Ymmapi.dll (Yahoo! Inc.) {5464D816-CF16-4784-B9F3-75C0DB52B499}

Missing files
-------------
011 C:\WINDOWS\system32\drivers\Abiosdsk.sys
011 C:\WINDOWS\system32\drivers\abp480n5.sys
011 C:\WINDOWS\system32\drivers\adpu160m.sys
011 C:\WINDOWS\system32\drivers\Aha154x.sys
011 C:\WINDOWS\system32\drivers\aic78u2.sys
011 C:\WINDOWS\system32\drivers\aic78xx.sys
011 C:\WINDOWS\system32\drivers\AliIde.sys
011 C:\WINDOWS\system32\drivers\amsint.sys
011 C:\WINDOWS\system32\drivers\asc.sys
011 C:\WINDOWS\system32\drivers\asc3350p.sys
011 C:\WINDOWS\system32\drivers\asc3550.sys
011 C:\WINDOWS\system32\drivers\Atdisk.sys
011 C:\WINDOWS\system32\drivers\cd20xrnt.sys
011 C:\WINDOWS\system32\drivers\Changer.sys
011 C:\WINDOWS\system32\drivers\CmdIde.sys
011 C:\WINDOWS\system32\drivers\Cpqarray.sys
011 C:\WINDOWS\system32\drivers\dac2w2k.sys
011 C:\WINDOWS\system32\drivers\dac960nt.sys
011 C:\WINDOWS\system32\drivers\dpti2o.sys
011 C:\WINDOWS\system32\drivers\hpn.sys
011 C:\WINDOWS\system32\drivers\i2omgmt.sys
011 C:\WINDOWS\system32\drivers\i2omp.sys
011 C:\WINDOWS\system32\drivers\ini910u.sys
011 C:\WINDOWS\system32\drivers\IntelIde.sys
011 C:\WINDOWS\system32\drivers\lbrtfdc.sys
011 C:\WINDOWS\system32\drivers\mraid35x.sys
011 C:\WINDOWS\system32\drivers\PCIDump.sys
011 C:\WINDOWS\system32\drivers\PDCOMP.sys
011 C:\WINDOWS\system32\drivers\PDFRAME.sys
011 C:\WINDOWS\system32\drivers\PDRELI.sys
011 C:\WINDOWS\system32\drivers\PDRFRAME.sys
011 C:\WINDOWS\system32\drivers\perc2.sys
011 C:\WINDOWS\system32\drivers\perc2hib.sys
011 C:\WINDOWS\system32\drivers\ql1080.sys
011 C:\WINDOWS\system32\drivers\Ql10wnt.sys
011 C:\WINDOWS\system32\drivers\ql12160.sys
011 C:\WINDOWS\system32\drivers\ql1240.sys
011 C:\WINDOWS\system32\drivers\ql1280.sys
011 c:\windows\system32\drivers\ALCXWDM.SYS
011 c:\windows\system32\drivers\ALCXSENS.SYS
011 C:\WINDOWS\system32\drivers\Simbad.sys
011 C:\WINDOWS\system32\drivers\Sparrow.sys
011 C:\WINDOWS\system32\drivers\sym_hi.sys
011 C:\WINDOWS\system32\drivers\sym_u3.sys
011 C:\WINDOWS\system32\drivers\symc810.sys
011 C:\WINDOWS\system32\drivers\symc8xx.sys
011 C:\WINDOWS\system32\drivers\TosIde.sys
011 C:\WINDOWS\system32\drivers\ultra.sys
011 C:\WINDOWS\system32\drivers\ViaIde.sys
011 C:\WINDOWS\system32\drivers\WDICA.sys
061 deskpan.dll
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\dcK3t3gf.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe
073 C:\WINDOWS\system32\3wGFJWhw.exe


I think everything looks clean now. Please advise - thanks for your very, very valuable help in getting this computer cleaned up.

Ecila5200

0

NOTE: When I did the search for "Symantec" it only showed 2 files which I deleted. Now checking through this post I noticed that there was another Symantec file folder which I have just deleted. Do you need me to run the scans again with this Symantec file folder removed?

Sorry ....

0

For some unknown reason you ran a program I am not familiar with called Runscanner instead of the ESET Online antivirus scanner. Can you please run the ESET Scanner please, fix anything found by it and then post back here with that log and a NEW HiJackThis log.

0

Hi Judy,

I ran the ESET Online scan and it found no errors however it did not generate a log file. Here is the HJT scan.

Thanks again,
Ecila5200

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:33 PM, on 10/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe
C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Rogers\SelfHealing\shs.exe
C:\Program Files\Lexmark 3100 Series\lxbrbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

*.local
F3 - REG:win.ini: run=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Rogers SHS] C:\Program Files\Rogers\SelfHealing\shs.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device

Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe"

/background
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"

/background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"

/background (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) -

http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -

http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile

Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Rogers SHS Service (RogersSelfHelpService) - Rogers Cable Communications -

C:\Program Files\Rogers\SelfHealing\RogersSelfHelpService.exe
O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications -

C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7956 bytes

0

Yes Judy - I've left it on all day and not a single IE pop-up page. I won't know for sure until I get it back to my niece's home and get it set up to see if it is faster now but I'm 99.9% sure that all the nasties have been removed - thanks so so much to you !!!

I will keep an eye on it for the next couple of days and have told my niece that I have to talk to all the children about what happened and how and where they can ONLY download their music ...

AGAIN - MANY MANY THANKS for all your fantastic help with this. Take Care,
Ecila
:)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.