[Resolved] abi network removal

You posted just fine. Lets see what we can do here. Print out these instructions, as we will be doing much of this while in safe mode. Gather any necessary downloads and/or updates, and perform the recommended on-line scans first.

Run HJT again (with no other windows, browsers, email, messaging, or chat clients open or running - often best to do this while in safe mode), selecting "Scan and Fix", placing a checkmark nest to ONLY the following (if found):

R3 - URLSearchHook: (no name) - {60164819-6C79-825A-2869-742E50FB9997} - iehelper.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O8 - Extra context menu item: AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/hamsterball/raptisoftgameloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FACF404-40C2-4EC9-B0E1-8CDC5504EB32}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FACF404-40C2-4EC9-B0E1-8CDC5504EB32}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1FACF404-40C2-4EC9-B0E1-8CDC5504EB32}: NameServer = 69.50.176.198,85.255.112.12

Make sure no Browsers, Windows, Email, Messaging, or Chat clients are open or running, then press "Fix Checked", and save the log.

The 017 entries I highlighted in red are particularly troubling, as they relate to websites known to be involved with CWS and identity theft. I'd like you to go to go to Trend Micro Antispyware For The Web, and follow the instructions there to do a full system scan-and-clean. Follow that with a full system scan-and-clean at Trend Micro Housecall - again, read, understand, and carefully follow the instructions. while you're there, also check to see that you have the latest CWShredder. Don't run CWShredder again just yet, just make sure your's is the latest version. If Trend AntiSpyware or Trend Housecasll report anything they found but could not vclean or delete, record the exact full path of the item(s), and include that when you post your logs later.

Now, update Ad-Aware SE, EWIDO, Microsoft Antispyware, and Spybot S&D. Don't scan with them yet, just update them. When all have been updated, boot into safe mode.

Run CWShredder, selecting "Scan and Fix" - and when it has completed, then run full scan-and-fix operations with Ad-Aware SE, EWIDO, and Spybot S&D - all while in safe mode. When all those have been done, run a scan-and-fix with CWShredder one more time - again, while in safe mode. When all that has been completed, run one more full scan-and-clean with CCleaner.

When that has been completed, reboot normally, immediately run HJT, fixing nothing, just saving the log. Next, run EWIDO once more, also saving the log. When that has been done, navigate back to this thread and post the requested logs (1 HJT, 2 EWIDO), and the pertinent info, if any, from Trend Micro.

error 0x8007007f
Okay, I've tried to run the online trendmicro spyware. When it asks me whether to save or run, I click run. It attempts to download, but before the program boots, I get a windows popup error message. The error message Heading "An unexpected problem was encountered" the message, Error #: 0x8007007f
I ran the online trendmicro housecall scan without a hitch. After that I ran the Pandasoftware Scan. I'm currently following the rest of the directions and will post results soon.

abi network scan results round 2
Timberlandko,
I tried to do everything you told me to. As mentioned in my previous post, I ran into trouble trying to run the trendmicro antispyware scan. The housecall scan came back clean. I ran the full panda scan: results are posted below.
Pandascan results:


Incident Status Location

Adware:adware/ncase No disinfected C:\TEMP\salm_kyf.dat
Adware:adware/elitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\OSDEB.OSD
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/wupd No disinfected C:\PROGRAM FILES\AdTools Service
Spyware:spyware/wareout No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Laurie\My Documents\Downloaded programs\Get rid of Aurora Software\Nailfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Laurie\My Documents\Downloaded programs\Get rid of Aurora Software\Nailfix.zip[Process.exe]
Adware:Adware/Twain-Tech No disinfected C:\Documents and Settings\Zach\Local Settings\Temp\twaintec.inf


Following are the results of the first Ewido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:25:51 PM, 8/15/2005
+ Report-Checksum: 7C801D4

+ Scan result:

:mozilla.6:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Laurie\Application Data\Mozilla\Firefox\Profiles\vpc8cl77.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Laurie\Cookies\laurie@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Laurie\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.5:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.12:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.15:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.17:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.18:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.19:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.20:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\00269765.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.10:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.13:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.17:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.19:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.20:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.21:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\00269766.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.10:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.12:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.13:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.16:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.17:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.20:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.32:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\00269767.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.6:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.11:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.12:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.15:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.16:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.17:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.18:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.20:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.33:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\00269774.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.6:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.8:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.10:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.11:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.13:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.17:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.18:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.20:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.22:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\00269787.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.6:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.9:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.11:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.15:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.18:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.19:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.20:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.21:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.22:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.23:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.35:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\00269788.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.8:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.11:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.12:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.13:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.15:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.17:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.18:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.21:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.23:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.24:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.36:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\00269789.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.11:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.12:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.13:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.14:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.15:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.16:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.17:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.18:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.19:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.22:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.24:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.25:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.37:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.38:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.39:C:\RECYCLER\NPROTECT\00269801.MOZ -> Spyware.Cookie.2o7 : Cleaned with backup


::Report End


Next are the HJT results:
Logfile of HijackThis v1.99.1
Scan saved at 9:45:43 PM, on 8/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Laurie\Local Settings\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
R3 - URLSearchHook: (no name) - {60164819-6C79-825A-2869-742E50FB9997} - iehelper.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/hamsterball/raptisoftgameloader.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122307347390
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FACF404-40C2-4EC9-B0E1-8CDC5504EB32}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FACF404-40C2-4EC9-B0E1-8CDC5504EB32}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1FACF404-40C2-4EC9-B0E1-8CDC5504EB32}: NameServer = 69.50.176.198,85.255.112.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Finally the results of the 2nd Ewido scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:17:29 PM, 8/15/2005
+ Report-Checksum: ED6672F6

+ Scan result:

No infected objects found.


::Report End

When you tried to run Housecall, did you have your own antivirus and/or adstopper/popupblocker running? That might have been the problem. Oh, well.

Also, HiJackThis is still in the temporary folder: (C:\Documents and Settings\Laurie\Local Settings\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe). Please go to Start>Control Panel>Add/Remove Programs, and if HJT appears there, uninstall it. While you're in Add/Remove Programs, please also uninstall the AOL toolbar if it appears there. Then locate and delete the folder C:\Documents and Settings\Laurie\Local Settings\Temp\Temporary Directory 2 for hijackthis_199.zip - delete just the folder Temporary Directory 2 for hijackthis_199.zip, not the entire "Documents and Settings\Laurie\Local Settings\Temp" folder.

Open "My Computer", then open your C: drive folder. Scroll to find C:\Programs. Open that folder; all your installed programs should be there, in folders of their own. Go to the Program folder's toolbar, select "Tools" >"New" > "Folder". Name the new folder "HJT" or "HiJackThis". Now, download a fresh copy of HiJackThis into that folder. When the download has completed, right-click on the .zip file, select "Extract all", and follow the prompts. When the extraction has completed, open the new, unzipped folder which has appeared, and you'll find HJT's icon. Right-click the icon, and select "Send to" >"Desktop (create shortcut)", to place a shortcut to HJT on the desktop. Use that shortcut to launch HJT from now on.

I'd like you to download WinsockXPFix[/b]. Don't do anything with it yet, just download it and remember where it is. You should already have downloaded and saved LSPFix ... we may need one, the other, or both, or we may not need either, but make sure you've downloaded both and know where they are.

Download SilentRunners. Don't do anything with it right now, just download it and remember where it is. See the tutorial HERE and be certain you know how to run it and save the log when called for.

Download Cleanup and install it to you Progam folder. Read the documentation HERE. Don't do anything with it yet, just download and install it. One important note: when run, Cleanup will remove ALL temporary files, so make sure nothing you want to keep is in a temporary file.

Now, update Ad-Aware SE - just update it, then close it. You should already have downloaded and installed Ad-Aware SE's VX2Cleaner Plugin - if not, do so now.

Now, disconnect from the internet, shut down or disable all resident security/privacy software, and try running HJT again using the new shortcut on your desktop, in normal mode and while not connected to the internet, and WITH NO OTHER WINDOWS OR BROWSERS OPEN, NO EMAIL, MESSAGING, OR CHAT CLIENTS OR OTHER APPS RUNNING - use Task Manager (Ctrl+Alt+Delete or Ctrl+Shift+Esc) to shut everything down, and be sure your own resident antivirus and security/privacy software are not running.

Then, with ONLY HJT running, place a checkmark next to each of the following:

R3 - URLSearchHook: (no name) - {60164819-6C79-825A-2869-742E50FB9997} - iehelper.dll (file missing)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O8 - Extra context menu item: AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/hamsterball/raptisoftgameloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FACF404-40C2-4EC9-B0E1-8CDC5504EB32}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FACF404-40C2-4EC9-B0E1-8CDC5504EB32}: NameServer = 69.50.176.198,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{1FACF404-40C2-4EC9-B0E1-8CDC5504EB32}: NameServer = 69.50.176.198,85.255.112.12

Select "Fix Checked", and when that has completed, locate and delete the folder C:\Program Files\AOL\AOL Toolbar 2.0 (delete just the AOL Toolbar 2.0 folder, not the entire AOL folder), then run a full scan-and-clean with CCleaner (CCleaner this time, not Cleanup)

Boot into safe mode, launch Ad-Aware SE, and run the VX2 Cleaner plugin. Follow that with a a full scan-and-clean by Ad-Aware SE (FIX EVERYTHING FOUND). Do not reboot unless prompted by Ad-Aware SE to do so to permit cleaning operations to be completed.

When Ad-Aware SE has completed, run Cleanup (Cleanup, NOT CCleaner) - it'll take a while, so be patient. When it has completed, reboot normally, but do not connect to the internet. Run another full scan-and-clean with Ad-Aware SE, then run Cleanup one more time (which should go much more quickly this time around). When prompted by Cleanup, reboot normally. Do not connect to the internet.

Locate and run SilentRunners, saving the log. Then, with no browsers, other windows, or apps running, run just a scan-and-save-log with HJT.

Now, re-enable your security/privacy software, connect to the internet, navigate back to this thread, and post the new HJT log and the SilentRunners log.

unfound entries
Hello again Timber,
Thanks for taking the time to help. I am in the process of following your instructions, so I hope you'll be around a bit. I uninstalled the AOL toolbar as per your request. When I ran the fresh HJT from it's new location, none of the AOL related entries were present:
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O8 - Extra context menu item: AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

I'm now in the process of following the remainder of the instructions and will post soon.

Updated HJT and Silent Runners Logs
Timber,
I'm feeling optomistic; I don't see of that 017 file in the latest HJT log. Hope you have good news for me.

Silent runners file:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs LLC"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"Winamp Player 6" = "WINAMP6.EXE" [file not found]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"AcctMgr" = "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup" ["Symantec Corporation"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{336B02CE-F88A-4aea-8731-79EF94D3723A}" = "Free AOL & Unlimited Internet.url"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\aod\aodshext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{F802F260-519B-11D1-BB5D-0060974C6013}" = "ICQ Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cseac.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Laurie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "Laurie" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Earl" -> launches: "C:\PROGRA~1\NORTON~2\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" [null data]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQToolbar\toolbaru.dll" ["ICQ Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]

{6224F700-CBA3-4071-B251-47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" ["ICQ Inc."]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{855F3B16-6D32-4fe6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQToolbar\toolbaru.dll" ["ICQ Inc."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
EPSON Printer Status Agent2, EPSONStatusAgent2, "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
EpsonBidirectionalService, EpsonBidirectionalService, "C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE" ["Symantec Corporation"]
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs LLC"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 63 seconds, including 18 seconds for message boxes)


HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 5:14:08 PM, on 8/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.charter.net/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Winamp Player 6] WINAMP6.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122307347390
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

That looks clean to me, so yeah, good news - seems we got 'em all. I'd say test things for a while - and of course stay absolutely current on all of your updates. If after a fair period of normal use, things seem to stay normal and you're satisfied all is as it should be, you can delete the tools you won't be using any more (they won't hurt anything, but they do taske up some disk space) - though I strongly recommend keeping, using, and maintaining updates for Ad-Aware SE, CCleaner, and/or Cleanup, Microsoft Antispyware, Spybot S&D and SpywareBlaster. When you're ready, run Cleanup one more time while in safe mode, then defrag your machine, re-enable System Restore, boot back into safe mode, and when the system has fully booted, set a fresh restore point. Reboot normally, Stay Safe Out There, and you're good to go. I think we can mark this one resolved, but if you find otherwise, jump right back here with the details - shouldn't be any problems, though.


Optionally, you might want to have HJT fix these before you wrap things up:

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

None of these are malicious, they're just unnescessary startups. Removing them from the Startup folder will not affect the functionality of the associated apps, but will keep them from loading every time Windows boots, slightly speeding bootup and freeing a small amount of system resources. No biggie either way; I doubt you'll really see a noticeable improvement if you do "fix" them, though you might.

many thanks
Timberlandko,
You are a very good person. I thank you so much for taking the time to work with me. I know that this Aurora thing, I'm not even sure what to call it, has plagued many many people. Have you any idea of what my friends must have clicked on in order to install this junk into their machine? Also, you mentioned concerns over the "017" listings in one of the earlier HJT logs. Should they be taking any steps through their credit agencies or banks or should they just closely monitor their accounts for a while? Again, thank you so much.

Tell your freinds to keep a close eye on their financial accounts for a while, just to be sure. It also would be a very good ideaq to change ALL passwords and PINs - and remember, a good password should be no fewer than 7 characters, not be a real word or name, and should incorporate digits, "special characters" (such as !, @, #, $, %, ^, &, _, etc). and should use both upper and lower case letters. For example, $3cuR1T No sense making it easy for the badguys.

As to how anyone gets infected, generally the best answer is that any combination of unpatched, outdated operating systems and browsers, ineffectively configured and inadequately updated security/privacy software, and poor browsing/email/chat practice will nail you almost every time. Put 'em all together, and you're about as safe as you would be laying flat in the middle of a busy intersection at night wearing dark clothes - you're gonna get hit, and hit bad.

faith
Timberland, Thank you again. It's really too bad that there are so many nasty people out there making trouble. It is people like you and sites like "able2know" that restore my faith in the "good guys" of the world. Thank you, again. I hope I won't be here again, but it is good to know that if I need help, you are here.