Hi
Last week I was searching for anime and went to a site that I have been to before. I don't even think I clicked anything when this warning popped up. It said I was infected and "windows" was currently downloading the latest antivirus. It happened to be "SpySheriff". I looked on a different computer on how to ged rid of it, followed the instructions. It also said it came with a few other infections.

The guide told me to download things like Cleanup! Hijackthis and Ewido. What was interesting, is every time I logged on to my Windows XP profile Ewido would find an infected object called TrojanDownloader.PurityScan.af and things like TrojanDownlader.small. It seems no matter how many times I clean, or run different virus scans, or spyware and adaware removals even in safe mode, these things keep reinfecting my computer.

I am now using FireFox instead of IE becuase every time I opened IE I would get these warnings in grey and popups would follow. At times I would get 'page cannot be displayed' when my net was clearly working. I wonder if it was linked to my MSN automatically opening on startup too. Since I've opened neither, I've had no popups. But I'd like to get my computer back to normal.

It also seems there were many Windows updates I should have done and never did. Now someone who was helping me at home wonders if a virus could be interupting my update downloads right now.

I've asked everyone I know and no one knows what's up with my computer. Can you please help?

Hi ctrl alt delete

Let's have a look at your HJT Log.
Go to here and download 'Hijack This!' Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
Click on the entry in start menu or on the desktop to run HijackThis.

Run the program, and press "Do a system scan and save a logfile".
After HJT runs, the log will show (notepad will open).
After notepad opens, click edit – select all then edit –copy .
Then paste that log onto this topic.

DO NOT Delete or modify anything yet, as some of it is needed to keep your system in Good Shape.

Follow this link http://home.planet.nl/~kleyn080/hijackthi-- The nicest hobby on Earth ;) --planation.html if you need help.

Question, does it need to be run in normal or safe mode? This was done in normal.

Logfile of HijackThis v1.99.1
Scan saved at 10:45:56 AM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\performent003.dll (file missing)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2487b336f515f8f58515/...ip/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?315
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C425F1-69E5-4F22-BB60-CDCA667F820A}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{396BA175-4D10-4AF1-91CA-D7ADAFB7D742}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FEE8B23-46DE-46EE-8B93-CDD2479EC428}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{53A6D3E7-5DBB-49E8-B52A-955B682DF5CB}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AF24F60-778A-4814-B33B-6CED8D67EEFE}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{33C425F1-69E5-4F22-BB60-CDCA667F820A}: NameServer = 69.50.177.204,85.255.112.25
O21 - SSODL: 2E06F2C0-6EF6-41AD-81A2-789528F1251D - {A4910D9B-24FE-238D-FB4E-B559F97DEFF4} - c:\program files\aim games\crystal maze\wweyk8.dll (file missing)
O21 - SSODL: System - {B997BAD1-5AA6-48B1-B3A9-CF632E67A0A6} - ssmc.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\holikaad.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\lnckedei.dll (file missing)
O21 - SSODL: SysTray.Exlv - {5368DCFC-4F5C-4f5b-B134-E67294FC78E9} - C:\WINDOWS\System32\djfaeige.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Jelidcbn.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Hi ctrl alt delete,

It gets run in normal mode. Most scans, tools, etc will be run in normal mode Unless asked to use Safe mode.
If you have any of these tools already, please make sure they are the latest version and are updated (if applicable)
I also don't see any Anti-virus..... More on that later.


It will help to print this out, as you won't be able to see this in Safe mode


Download smitRem from here, and save the file to your desktop.

http://noahdfear.geekstogo.com/smitRem.exe

Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.
_ _ _ _

Please download, install, and update the free version of Ewido trojan scanner:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful").

But don't run it yet.
_ _ _ _

If you don't already have Ad-Aware SE 1.06, please get it here:

http://www.lavasoftusa.com/support/download/

Install it, then update it, but don't run it yet.
__________________

Then, reboot to Safe mode (tap F8 while restarting).

Open Hijackthis, click Scan, then put a check next to the following entries:

O2 - BHO: (no name) - {9C5875B8-93F3-429D-FF34-660B206D897A} - C:\WINDOWS\System32\performent003.dll (file missing)

O15 - Trusted Zone: *.asdbiz.biz
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.asdbiz.biz (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.178.84

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2487b336f515f8f58515/...ip/RdxIE601.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab

O21 - SSODL: 2E06F2C0-6EF6-41AD-81A2-789528F1251D - {A4910D9B-24FE-238D-FB4E-B559F97DEFF4} - c:\program files\aim games\crystal maze\wweyk8.dll (file missing)
O21 - SSODL: System - {B997BAD1-5AA6-48B1-B3A9-CF632E67A0A6} - ssmc.dll (file missing)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - C:\WINDOWS\System32\holikaad.dll (file missing)
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\System32\lnckedei.dll (file missing)
O21 - SSODL: SysTray.Exlv - {5368DCFC-4F5C-4f5b-B134-E67294FC78E9} - C:\WINDOWS\System32\djfaeige.dll (file missing)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Jelidcbn.dll (file missing)

O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)


Now Close all open Windows (have only HJT open) and click "Fix Checked".


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
_ _ _

Open Ad-aware and do a full scan. Remove all it finds.
_ _ _

Run ewido, click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to you next reply.
__________

Then reboot normally.


Then please download DelDomains.inf , made by Winhelp2002.- Right-click and select: Save Target As
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Note, if you use SpywareBlaster and or IESpyad, it will be necessary to re-install the protection both provide. For SpywareBlaster, run the program and 're-enable all protection'. For IESpyad, run the batch file and reinstall the protection.


Next, take a free Online Virus scan at Panda ActiveScan
If any infected files are found, delete them.
Then please post the log from them.

Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log.
More work will be needed.

Here's the logs sorry it took so long.

Panda Scan

Incident Status Location

Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vxgame6.exe
Adware:adware/azesearch No disinfected C:\WINDOWS\SYSTEM32\ztoolbar.xml
Spyware:spyware/searchcentrix No disinfected Windows Registry
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\City Mp3 Trust Error\Wipe safe.exe
Virus:Bck/SmallHTTP.C Disinfected C:\Program Files\internet explorer\shttps\http.exe
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Virus:Trj/Shellbot.B Disinfected C:\WINDOWS\system\svchost.exe
Adware:Adware/Tubby No disinfected C:\WINDOWS\system32\10735486.exe
Adware:Adware/Tubby No disinfected C:\WINDOWS\system32\25264017.exe
Adware:Adware/Tubby No disinfected C:\WINDOWS\system32\2895763.exe
Adware:Adware/Tubby No disinfected C:\WINDOWS\system32\436858.exe
Adware:Adware/Tubby No disinfected C:\WINDOWS\system32\67029893.exe
Adware:Adware/Tubby No disinfected C:\WINDOWS\system32\70342907.exe
Virus:Trj/Downloader.EQS Disinfected C:\WINDOWS\system32\cszdl.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050913-200325.backup
Possible Virus. No disinfected C:\WINDOWS\system32\svcdl32.exe
Security Risk:Application/RestartNo disinfected C:\WINDOWS\system32\Tools\Restart.exe
Virus:Trj/Sapilayr.B Disinfected C:\WINDOWS\system32\vxgame6.exe
Virus:Trj/Multidropper.AVO Disinfected C:\WINDOWS\wmplayer.exe

I couldn't find the MediaTicketsInstaller folder on my computer, and I also couldn't find the one located in Windows Registry.

Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:43:30 PM, 9/24/2005
+ Report-Checksum: B951C786

+ Scan result:

:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\srxej62z.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\srxej62z.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.130:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.131:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Tina\Application Data\Mozilla\Firefox\Profiles\m7e6t3ed.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup


::Report End

HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 11:30:42 AM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?315
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C425F1-69E5-4F22-BB60-CDCA667F820A}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{396BA175-4D10-4AF1-91CA-D7ADAFB7D742}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FEE8B23-46DE-46EE-8B93-CDD2479EC428}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{53A6D3E7-5DBB-49E8-B52A-955B682DF5CB}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AF24F60-778A-4814-B33B-6CED8D67EEFE}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{33C425F1-69E5-4F22-BB60-CDCA667F820A}: NameServer = 69.50.177.204,85.255.112.25
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

SmitFile


smitRem log file
version 2.5

by noahdfear

The current date is: Sat 09/24/2005
The current time is: 10:05:49.04

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

One concern of mine.
There is a peculiar looking file called svchost.exe under my system32 folder. I realise that svchost is a useful thing running in task manager ... but I thought it wasn't supposed to have .exe on the end of it. Also, this file has NO PICTURE when you view as tiles.

Hi,

Set Windows to view hidden and system files:
Open the Windows Explorer | Tools | Folder Options - View [tab]:

Scroll down to the "Files and Folders" section.
Select: "Display the contents of system folders".

Scroll down to the "Hidden Files and Folders" section.
Select: "Show hidden files and folders", Ok the prompt
Uncheck: "Hide file extensions for known file types"
Uncheck: "Hide protected operating system files" Ok the Prompt, click Apply

Click the "Apply to all Folders" button. Close Windows Explorer.

After you're cleaned, please "rehide" them again.
_ _ _ _

Please download KillBox by Option^Explicit from Here
Save it to your Desktop, don't just run it from the download site.

Open KillBox. Then on killbox top bar press tools and then "Delete Temp Files" then "OK".

In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\10735486.exe
C:\WINDOWS\system32\25264017.exe
C:\WINDOWS\system32\2895763.exe
C:\WINDOWS\system32\436858.exe
C:\WINDOWS\system32\67029893.exe
C:\WINDOWS\system32\70342907.exe
C:\WINDOWS\system32\cszdl.exe
C:\WINDOWS\system32\svcdl32.exe
C:\WINDOWS\system32\Tools\Restart.exe
C:\WINDOWS\SYSTEM32\vxgame6.exe
C:\WINDOWS\SYSTEM32\ztoolbar.xml
C:\WINDOWS\System32\cmdtel.exe
C:\Program Files\internet explorer\shttps\http.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
C:\Documents and Settings\All Users\Application Data\City Mp3 Trust Error\Wipe safe.exe


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Before you reboot, close this window and all windows and programs!

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.


After the reboot, delete these folders in bold:

C:\Program Files\internet explorer\shttps\

C:\Documents and Settings\All Users\Application Data\City Mp3 Trust Error\



Open Hijackthis, click Scan, then put a check next to the following entries:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)


Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".


Then reboot normally, and please post a new HJT Log.


svchost.exe is a legit file, as long as it's in your system32 folder:
C:\WINDOWS\system32\svchost.exe

If it's in any other location (C:\WINDOWS\svchost.exe) then it's a baddy.

http://www.liutilities.com/products/wintas...ibrary/svchost/

Two folders you told me to delete, one previously, and one just today, I could not find. I had all my window - tools - folder options - view settings exactly as you told me, and I could not find them. The CONFLICT.1 folder, and the City Mp3 Trust Error folder. They just aren't there. In fact where the location of the CONFLICT.1 folder should be there are 0 folders.

In HiJackThis in safe mode, I also deleted the WeatherBug one, as I don't want it
and it also said (file missing)

Question, when I copy and pasted all those things into killbox, does it work all at once as I understood your directions? Or should they have been done one at a time?

Here's the HiJackThis log as is.

Logfile of HijackThis v1.99.1
Scan saved at 7:33:16 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Wacom\TabUserW.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?315
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C425F1-69E5-4F22-BB60-CDCA667F820A}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{396BA175-4D10-4AF1-91CA-D7ADAFB7D742}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FEE8B23-46DE-46EE-8B93-CDD2479EC428}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{53A6D3E7-5DBB-49E8-B52A-955B682DF5CB}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AF24F60-778A-4814-B33B-6CED8D67EEFE}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{33C425F1-69E5-4F22-BB60-CDCA667F820A}: NameServer = 69.50.177.204,85.255.112.25
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Hi ctrl alt delete,

Well, if the folders aren't there, they're not there! :)
I only said to go to those folders because Panda found them:
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\City Mp3 Trust Error\Wipe safe.exe

Killing the files with Killbox probably took care of them. To be sure, you can run Panda again, then please post the log once more.
_ _ _

Good call "fixing" WeatherBug. :thumbup:
It's "open-to-debate"....

http://castlecops.com/o9list-33.html
http://www.liutilities.com/products/wintas...ibrary/weather/
http://www.2-spyware.com/remove-weatherbug.html

I wouldn't want it on my system either.
Don't forget to delete this folder in bold:
C:\Program Files\AWS\
_ _ _

Using Killbox the way that I posted will "kill" all those files at once.
(They can be "killed" one at a time also, but it is easier and quicker to do it "all at once").
__________


Click Start > Run (type) services.msc
Scroll down to: "Loading Outpost Connections" (KDE)
Highlight, right-click and select: Properties
Select "Service Status" option to "Stop"
Select: "Startup type" set it to "Disabled", click Apply, OK

Close the Services Editor.


Open HijackThis, click "Open the Misc Tools button"
Select: "Delete an NT service..."

(type) Loading Outpost Connections(click Ok)
Note: the "service name is in parenthesis"
Click ok.

Reboot, then open Hijackthis, click Scan, then put a check next to the following entry:

O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\System32\cmdtel.exe (file missing)


Now Close all open Windows and browsers (have only HJT open) and click "Fix Checked".

Then reboot and please post a new HJT log (and Panda log if you want to)....

Thanks for all your help Autodad

So I deleted the AWS folder

When I ran HiJackThis, that file you told me to delete was not present.
Can I ask you, why do they say (file missing)? .... OBVIOUSLY because the file is missing, but how and why? Have I deleted it?

Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 6:38:10 PM, on 10/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?315
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33C425F1-69E5-4F22-BB60-CDCA667F820A}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{396BA175-4D10-4AF1-91CA-D7ADAFB7D742}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FEE8B23-46DE-46EE-8B93-CDD2479EC428}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{53A6D3E7-5DBB-49E8-B52A-955B682DF5CB}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{9AF24F60-778A-4814-B33B-6CED8D67EEFE}: NameServer = 69.50.177.204,85.255.112.25
O17 - HKLM\System\CS1\Services\Tcpip\..\{33C425F1-69E5-4F22-BB60-CDCA667F820A}: NameServer = 69.50.177.204,85.255.112.25
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe

Hi,

You're welcome.

Sometimes the file is really missing, sometimes it not (as in this case).
It's the way that HJT reads it sometimes that may give the "file missing"

Stopping the service can make it possible to delete it.


Looks clean, good job!

If you're not having any problems, then here are some suggestions to clean/protect your PC:
(Some may be redundant, so only use those that apply...)

I recommend that you get AdAware SE
Install The Program and Run it. Make Sure You Click the "Check for Updates" Button before starting a scan.
Do a scan with AdAware and Remove Everything it suggests.

Then, also get Spybot: Search and Destroy
Check for Updates first, download ALL Updates and Do a Scan.
When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

Keep them updated, and run them periodically.
_ _ _ _ _

Then click Start | Run (type) cleanmgr
Select the following:
1) Temporary Internet Files
2) Recycle Bin
3) Temporary Files

When completed Reboot.
_ _ _ _ _

Also go to Windows Update to keep up on all the latest security patches that apply to your PC.
Check Windows' Update site frequently, as new patches come out often. You don't need to install all the updates offered, but ALWAYS get the latest security updates available.
_ _ _ _ _

Then, it is not an option these days to be on the internet without and Updated Anti-Virus. If you have one, check it for updates frequently (or set it to "Auto" update). If you don't have one, or can't afford one, a good free one to use is AVG .
Have a look at this link: http://www.mvps.org/winhelp2002/avg7.htm

Just as it is important to have an updated Anti-virus, it's equally important to have a Firewall these days. Again, if you can't afford one, this is a good free one:

Sygate Personal Firewall.
_ _ _ _ _

Then I recommend you clean out your System Restore
Doing this will remove all your restore points, and any infections that might be hanging in there.

Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives".
Click Apply.
Click Yes to do this.
Click OK.
Then Restart your computer.

After you have restarted, turn System Restore back on:
Click Start.
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Uncheck the "Turn off System Restore" or "Turn off System Restore on all drives" check box.
Click Apply, and then click OK.

Then create a new restore point once you have System Restore back on.
To create a new System Restore Point, click Start -> All Programs -> Accessories -> System Tools -> System Restore.
When the System Restore Utility opens, click "Create a Restore Point" then click Next.
Enter a name for this Restore Point, and click Create.
_ _ _ _ _

Here is a link that explains how to Clear Out Forgotten Programs, Free Up Wasted Space, Defragment Your Computer, etc...

http://www.microsoft.com/windowsxp/using/s...estoreperf.mspx
_ _ _ _ _

Here are some good links to follow to make your Internet Explorer more secure:

http://www.mvps.org/winhelp2002/restricted.htm
http://mvps.org/winhelp2002/unwanted.htm
_ _ _ _ _

Here is some free protection you should also consider:
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies.

IESPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Check them for updates occasionally.


And also see So how did I get infected in the first place?

Let us know if you have any concerns,

Stay safe!