New Poly Win32 [For ScottyM]

Foolow these instructions. THen post a new log.

http://help.lockergnome.com/lofiversion/index.php/t40356.html

Here's the "hijackthis" log:

Logfile of HijackThis v1.99.1
Scan saved at 4:30:07 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AVWinNT\AVWUPSRV.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Scott Yaffee\Desktop\System Utilities\Spizz\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = DO I MAKE YOU HORNY BABY? YEAH...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\Spyware Doctor\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WeatherBug\Weather.exe (HKCU)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4703/mcfscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVWinNT\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


And here's the ewido scan report:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           4:22:48 PM, 3/1/2006
+ Report-Checksum:      F20F82B9


+ Scan result:


:mozilla.10:C:\Documents and Settings\Scott Yaffee\Application Data\Thunderbird\Profiles\s27mrlam.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\DoubleClick.zip/scott [email]yaffee@ln.doubleclick[1].txt[/email] -> TrackingCookie.Doubleclick : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Enliven.zip/scott [email]yaffee@ads.enliven[1].txt[/email] -> TrackingCookie.Enliven : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Enliven1.zip/scott [email]yaffee@ads.enliven[1].txt[/email] -> TrackingCookie.Enliven : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Enliven2.zip/scott [email]yaffee@ads.enliven[1].txt[/email] -> TrackingCookie.Enliven : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer16.zip/scott [email]yaffee@questionmarket[1].txt[/email] -> TrackingCookie.Questionmarket : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer25.zip/scott [email]yaffee@2o7[2].txt[/email] -> TrackingCookie.2o7 : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer25.zip/scott [email]yaffee@ad-flow[2].txt[/email] -> TrackingCookie.Ad-flow : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer25.zip/scott [email]yaffee@com[1].txt[/email] -> TrackingCookie.Com : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer28.zip/scott [email]yaffee@edge.ru4[1].txt[/email] -> TrackingCookie.Ru4 : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer28.zip/scott [email]yaffee@server.iad.liveperson[1].txt[/email] -> TrackingCookie.Liveperson : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer28.zip/scott [email]yaffee@trafficmp[1].txt[/email] -> TrackingCookie.Trafficmp : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer32.zip/scott [email]yaffee@questionmarket[2].txt[/email] -> TrackingCookie.Questionmarket : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer32.zip/scott [email]yaffee@server.iad.liveperson[1].txt[/email] -> TrackingCookie.Liveperson : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer32.zip/scott [email]yaffee@trafficmp[1].txt[/email] -> TrackingCookie.Trafficmp : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer36.zip/scott [email]yaffee@2o7[1].txt[/email] -> TrackingCookie.2o7 : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer36.zip/scott [email]yaffee@com[2].txt[/email] -> TrackingCookie.Com : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer36.zip/scott [email]yaffee@overture[2].txt[/email] -> TrackingCookie.Overture : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer36.zip/scott [email]yaffee@questionmarket[2].txt[/email] -> TrackingCookie.Questionmarket : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer36.zip/scott [email]yaffee@zedo[2].txt[/email] -> TrackingCookie.Zedo : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer40.zip/scott [email]yaffee@questionmarket[1].txt[/email] -> TrackingCookie.Questionmarket : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer40.zip/scott [email]yaffee@web4.realtracker[1].txt[/email] -> TrackingCookie.Realtracker : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer45.zip/scott [email]yaffee@com[1].txt[/email] -> TrackingCookie.Com : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer45.zip/scott [email]yaffee@download.com[2].txt[/email] -> TrackingCookie.Com : Error during cleaning
C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\InternetExplorer8.zip/scott [email]yaffee@questionmarket[1].txt[/email] -> TrackingCookie.Questionmarket : Error during cleaning
:mozilla.9:C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Mozilla2.zip/cookies.txt -> TrackingCookie.Doubleclick : Error during cleaning
:mozilla.10:C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Mozilla2.zip/cookies.txt -> TrackingCookie.Atdmt : Error during cleaning
:mozilla.17:C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Mozilla2.zip/cookies.txt -> TrackingCookie.Fastclick : Error during cleaning
:mozilla.20:C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Mozilla2.zip/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.21:C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Mozilla2.zip/cookies.txt -> TrackingCookie.2o7 : Error during cleaning
:mozilla.22:C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Mozilla2.zip/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning
:mozilla.23:C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Mozilla2.zip/cookies.txt -> TrackingCookie.Valueclick : Error during cleaning
:mozilla.27:C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Mozilla2.zip/cookies.txt -> TrackingCookie.Mediaplex : Error during cleaning
:mozilla.28:C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Mozilla2.zip/cookies.txt -> TrackingCookie.Mediaplex : Error during cleaning



::Report End

Please advise my next move.
Thanks in advance,
ScottyM, Atlanta, GA

Ok, there were alot of errors during that cleaning ;). Have HJT clean the following

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WeatherBug\Weather.exe (HKCU)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe (file missing)

Then get the trial of spysweeper - http://www.webroot.com/consumer/products/spysweeper?acode=af1&rc=3599

And have it scan and delete whatever it finds. For info on how on to use, visit here - http://www.toughadmin.com/slideshow.php?article=Removing&i=21.

Then post a new log.

Hey tayspen Just a heads up, no need to remove the 023 line in the HijackThis scan - it's a bug in the program :)

Oh, Dont know that. Well I learned somthing today :).

Yes, the errors came up when the utility asked me if I wanted to delete the Spybot logs (?) since they were embedded. I didnt quite understand what that meant, but I chose not to delete them since I use Spybot regularly and felt the logs were no threat. I'm running Webroot utility now and will post the log shortly.
Thanks. :)

Ok, here is the scan from Webroot Spy Sweeper:

********
11:21 AM: | Start of Session, Friday, March 03, 2006 |
11:21 AM: Spy Sweeper started
11:21 AM: Sweep initiated using definitions version 625
11:21 AM: Starting Memory Sweep
11:36 AM: Memory Sweep Complete, Elapsed Time: 00:14:46
11:36 AM: Starting Registry Sweep
11:38 AM: Registry Sweep Complete, Elapsed Time:00:01:42
11:38 AM: Starting Cookie Sweep
11:38 AM: Found Spy Cookie: adjuggler cookie
11:38 AM: scott [email]yaffee@rotator.adjuggler[1].txt[/email] (ID = 2071)
11:38 AM: Found Spy Cookie: myaffiliateprogram.com cookie
11:38 AM: scott [email]yaffee@www.myaffiliateprogram[2].txt[/email] (ID = 3032)
11:38 AM: Cookie Sweep Complete, Elapsed Time: 00:00:02
11:38 AM: Starting File Sweep
1:14 PM: File Sweep Complete, Elapsed Time: 01:36:07
1:14 PM: Full Sweep has completed. Elapsed time 01:52:45
1:14 PM: Traces Found: 2
1:40 PM: Removal process initiated
1:40 PM: Quarantining All Traces: adjuggler cookie
1:40 PM: Quarantining All Traces: myaffiliateprogram.com cookie
1:40 PM: Removal process completed. Elapsed time 00:00:01
********
11:20 AM: | Start of Session, Friday, March 03, 2006 |
11:20 AM: Spy Sweeper started
11:21 AM: Your spyware definitions have been updated.
11:21 AM: | End of Session, Friday, March 03, 2006 |

and here's the new scan from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 1:45:12 PM, on 3/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AVWinNT\AVWUPSRV.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\WINDOWS\System32\cisvc.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Scott Yaffee\Desktop\System Utilities\Spizz\HijackThis.exe
C:\Documents and Settings\Scott Yaffee\Desktop\System Utilities\Spizz\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = DO I MAKE YOU HORNY BABY? YEAH...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\JUSearch\SearchEnh1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll (file missing)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4703/mcfscan.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVWinNT\AVWUPSRV.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please advise my next move, if any.
And thanks for the help.
Scott in Atlanta, GA

Oh, Dont know that. Well I learned somthing today :).

Maybe I should elaborate on what I was saying. In this particular case, the user appeared to have already uninstalled Ewido, so the files were indeed missing. But since there is a bug in HijackThis with the 023 lines, it wouldnt hurt to ask the user to verify the files are indeed gone.

Also, ScottyM - you appear to have McAffee, Antivir, and Avast! AV Services running. To avoid conflicts, you should pick one Antivirus and uninstall the other two.

Yes, I uninstalled Ewido after I ran the scan, as well as Webroot Spy Sweeper.
I'm perplexed. The only anti-vir softwared that I have running is McAfee. The others are just on my computer since I was having probs with McAfee, but they have not been installed nor am I running them (at least to my knowledge, I am not running anything but Mcafee). I just have them "in case" McAfee gives me more problems (something was disabling Mcafee and I had to keep downloading and installing it over and over. Thats what led me to believe that I had a virus disabling my McAfee, so I d/l'd Avast (HUGE MISTAKE-CRAPPY SOFTWARE) and AntiVir (havent usedthis one yet, just have the file sitting here waiting to be installed.)
So, have I gotten rid of this New Poly Win virus yet or is there something else I have to do?
Scott

Well with the (file missing) bug in HijackThis, it's hard to tell.

So let's do the following if you plan to use McAffee

First check Add/Remove Programs and uninstall if you see them

Antivir Antivirus
Avast!

Next
Go to Start>Run type Services.msc

Look for the following

avast! iAVS4 Control Service
AntiVir Update

If they are found, right click each service and choose Stop. Then choose Properties and change the Startup Type to disabled

Next Open HijackThis
-Choose Open Misc Tools
-Choose Delete an NT Service
-Copy and paste the following one at a time into the box and click OK

avast! iAVS4 Control Service
AntiVir Update

Now scan with HijackThis and check the following and choose Fix Checked

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\Spyware Doctor\tools\iesdpb.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVWinNT\AVWUPSRV.EXE

Also fix this as well if you did not add this yourself

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = DO I MAKE YOU HORNY BABY? YEAH...

AntiVir and Avast are not installed, so there was nothing to uninstall. I opened up Services.msc and diabled the items you mentioned. I ran another HJT and checked/fixed the above metioned entries. So.....how can I tell if New Poly Win 32 is gone? Incidently, the way I found it was not with McAfee (McAfee didnt even see it and the McAfee scan showed clean). I used the online virus scan "Bitdefender" and thats how I found the virus. Please advise my next move if any and thanks again fir the assistance.
Scott

I ran another scan with "bitdefender" and about 1/2 the way thru the scan McAffee (which was still running in the background) popped up with a warning:

Virus Found: New Poly Win 32
Path: C:Documents and settings/Scott/Local Settings/Temp/tmp0000508c

I clicked on "show file path" and was taken to the location of the virus file (the "tmp0000508c") and I tried to delete it, clean it, and quarantine it. All three attempts yielded a message:

"The file cannot be [cleaned/deleted/quarantined]. Verify that the file is not write protected and try again.

The file is not write protected (I checked) and I still cannot delete it or clean it.
I dont know what to do next to kill this virus.

Thanks in advance....what should I do now?
Scott in Atlanta

Download Pocket Killbox from here:
http://files2.majorgeeks.com/files//admin/killbox.exe

Open Pocket Killbox and copy and paste the following into the box

C:/Documents and settings/Scott/Local Settings/Temp/tmp0000508c

Check the Delete on reboot option and when asked to reboot say YES
-If your PC does not reboot on it's own reboot it yourself.

Now scan and see if Bitdefender finds it, if so attach the Bitdefender log.

Killbox says "Cannot delete. The file does not exist" (but it is there, I just verified it)

Oops! I have the path incorrect if you copied and pasted like I advised.

It should be the following

C:\Documents and settings\Scott\Local Settings\Temp\tmp0000508c

Ok heres a funny thing. When I go to the file path that you told me to put into Killbox, the file isnt there. Its gone. When I run Bitdefender and THEN go to the file path, there it is. I try to delete it and it says "cannot delete, file in use. close programs bla bla bla". So I stopped and closed Bitdefender, and the file disappeared. So....its only there when I run the bitdefender, which leads me to believe that Bitdefender is depositing this file in my Temp folder, but is that possible???

Perplexed-
Scott

Odd indeed!

I would make sure you are viewing all hidden files and folders.
-Enter the path into Killbox anyway
-Reboot and verify it's gone.

If so, I would leave it be and not worry so much about Bitdefender if it seems it is placing this file in there.

To verify no more problems, run Panda Activescan
http://www.pandasoftware.com/products/activescan.htm

All clean.
Thanks again.

Glad I could help :)