I'm not seeing much from your HJT log. May I have an unanalysed copy of a fresh HJT log?

I would also like a copy of your StartupList

Go to HijackThis> Config> Misc Tools
Checkmark/tick 'list also minor sections (full)'
Click the 'Generate StartupList log' button
Post the log in your next reply

Thank You

 

StartupList report, 10/25/2005, 8:44:00 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\bcollins\Desktop\popups\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\bcollins\Desktop\popups\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
gcasServ = "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - bcollins.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[PCPitstop Utility]
InProcServer32 = C:\WINDOWS\DOWNLO~1\PCPITS~1.DLL
CODEBASE = http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[iCC Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\pcpConnCheck.dll
CODEBASE = http://www.pcpitstop.com/internet/pcpConnCheck.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[HPActiveChat Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\ISPEAC~1.DLL
CODEBASE = http://isupport4.hp.com/awebui/jsp/answerweb/applets/ISPEActiveChat.CAB

[BinAg1 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\BinaryAggregator1.dll
CODEBASE = https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38057.7358796296

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[HeartbeatCtl Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\CONFLICT.1\hrtbeat.ocx
CODEBASE = http://fdl.msn.com/zone/datafiles/heartbeat.cab

[Util Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\motutil.dll
CODEBASE = https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab

[{FA3662C3-B8E8-11D6-A667-0010B556D978}]
InProcServer32 = C:\Program Files\Common Files\Nullsoft\ActiveX\2.0\AmpX.dll
CODEBASE = http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
Creative Service for CDROM Access: C:\WINDOWS\system32\CTSvcCDA.EXE (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HP Configuration Interface Service: C:\WINDOWS\system32\HPConfig.exe (autostart)
HPWirelessMgr: C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe (autostart)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
mdmxsdk: System32\DRIVERS\mdmxsdk.sys (autostart)
Norton AntiVirus Auto-Protect Service: "C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe" (autostart)
Norton AntiVirus Firewall Monitor Service: "C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe" (autostart)
PfModNT: \??\C:\WINDOWS\system32\drivers\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
Speed Disk service: C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
StreamDispatcher: System32\DRIVERS\strmdisp.sys (autostart)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
symlcbrd: \??\C:\WINDOWS\system32\drivers\symlcbrd.sys (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
USB-IDE Bridge: system32\DRIVERS\sci1pl.sys (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINDOWS\System32\MsPMSPSv.exe (autostart)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 13,148 bytes
Report generated in 0.450 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

I'm still not seeing anything that warrants suspicion.

Please perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Standard
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

 

doing the scan now, i also downloaded zonealarm pro and had it scan for spyware it found a few things it might have actually cleared the popups i have not had one since being home (30 mins). ill post this log when its done thanks for ur help.

 

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 27, 2005 04:41:52
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/10/2005
Kaspersky Anti-Virus database records: 146986
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 114212
Number of viruses found: 22
Number of infected objects: 43
Number of suspicious objects: 4
Duration of the scan process: 27110 sec

Infected Object Name - Virus Name
C:\Documents and Settings\bcollins\Desktop\NSW2005p\crackz\liveupdate\crack.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\bcollins\Local Settings\Application Data\Identities\{C668DDE7-8A20-4FD6-85AC-7E17A35456BD}\Microsoft\Outlook Express\Ebay.dbx/[From bidconfirm@ebay.com][Date Tue, 9 Nov 2004 19:07:02 -0800]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.fh
C:\Documents and Settings\bcollins\Local Settings\Application Data\Identities\{C668DDE7-8A20-4FD6-85AC-7E17A35456BD}\Microsoft\Outlook Express\Ebay.dbx Infected: Trojan-Spy.HTML.Bayfraud.fh
C:\Documents and Settings\bcollins\Local Settings\Temporary Internet Files\Content.IE5\2N1ZUJFG\cracks4u[1].htm Infected: Trojan-Downloader.JS.IstBar.y
C:\Documents and Settings\bcollins\Local Settings\Temporary Internet Files\Content.IE5\4TMFO1YF\get[1].php/packed Infected: Trojan-Downloader.JS.IstBar.x
C:\Documents and Settings\bcollins\Local Settings\Temporary Internet Files\Content.IE5\4TMFO1YF\get[1].php Infected: Trojan-Downloader.JS.IstBar.x
C:\Documents and Settings\bcollins\Local Settings\Temporary Internet Files\Content.IE5\OZFMTT4N\d[1].php/packed Infected: Exploit.HTML.CodeBaseExec
C:\Documents and Settings\bcollins\Local Settings\Temporary Internet Files\Content.IE5\OZFMTT4N\d[1].php Infected: Exploit.HTML.CodeBaseExec
C:\Documents and Settings\bcollins\My Documents\adelphiabackup.pst/Personal Folders/Deleted Items/12 May 2002 21:15 from vicardinic:Unsubscribe send a blank email.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\bcollins\My Documents\adelphiabackup.pst/Personal Folders/Deleted Items/04 Oct 2002 03:41 from BUPEGF@steris.com:Fun Stuff.rtf Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Documents and Settings\bcollins\My Documents\adelphiabackup.pst Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\16DC0094.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\192E5A06.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1B442772.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27A76473.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27AA0E6F.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27AA0E6F.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27AA0E6F.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27AA0E6F.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27AA0E6F.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28133A36.exe Infected: Worm.Win32.VB.an
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B0309D4.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B0309D4.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B0309D4.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B0309D4.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B0309D4.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BDB5CE7.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BDB5CE7.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BDB5CE7.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BDB5CE7.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3BDB5CE7.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5AAE58DE.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E2C0788.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67AB6DD1.tmp Infected: Email-Worm.Win32.Bagle.bo
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6EEF3708.htm Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\763A56C5.exe Infected: Trojan-Downloader.Win32.VB.nh
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7D1166B4.exe Infected: Trojan.Win32.SecondThought.ao
C:\RECYCLER\S-1-5-21-3686400049-3532479714-3810606423-1007\Dc12.exe/run.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\RECYCLER\S-1-5-21-3686400049-3532479714-3810606423-1007\Dc12.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\RECYCLER\S-1-5-21-3686400049-3532479714-3810606423-1007\Dc22.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\RECYCLER\S-1-5-21-3686400049-3532479714-3810606423-1007\Dc25.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\RECYCLER\S-1-5-21-3686400049-3532479714-3810606423-1007\Dc26.exe Infected: Trojan.Win32.Crypt.t
C:\RECYCLER\S-1-5-21-3686400049-3532479714-3810606423-1007\Dc27.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\RECYCLER\S-1-5-21-3686400049-3532479714-3810606423-1007\Dc27.exe Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\SWSetup\inst_swprecord.exe/web.dll Infected: Trojan-Spy.Win32.WebPageRecorder
C:\SWSetup\inst_swprecord.exe Infected: Trojan-Spy.Win32.WebPageRecorder
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP624\A0170075.dll Infected: Trojan.Win32.Crypt.t

Scan process completed.

 

Please use Symantec's guide to remove the infected files from Quarantine.


Locate and delete the following files/folders: (let me know if you fail to find/delete any)

C:\Documents and Settings\bcollins\Desktop\NSW2005p\crackz\liveupdate\crack.exe
C:\Documents and Settings\bcollins\Local Settings\Application Data\Identities\{C668DDE7-8A20-4FD6-85AC-7E17A35456BD}\Microsoft\Outlook Express\Ebay.dbx
C:\Documents and Settings\bcollins\My Documents\adelphiabackup.pst
C:\SWSetup\inst_swprecord.exe


Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.


Reboot & post a new log

 

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, October 28, 2005 16:16:43
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/10/2005
Kaspersky Anti-Virus database records: 147352
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 106413
Number of viruses found: 9
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 18398 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP624\A0170075.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170256.exe/run.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170256.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170261.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170263.exe Infected: Trojan-Downloader.Win32.Small.bke
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170264.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170265.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170265.exe Infected: Trojan-Downloader.Win32.TSUpdate.j
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170270.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170280.exe/web.dll Infected: Trojan-Spy.Win32.WebPageRecorder
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170280.exe Infected: Trojan-Spy.Win32.WebPageRecorder
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170301.exe Infected: Trojan-Downloader.Win32.VB.nh
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170302.exe Infected: Worm.Win32.VB.an
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170303.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP631\A0170305.exe Infected: Trojan.Win32.SecondThought.ao

Scan process completed.

 

Please post a new HJT log.

 

Logfile of HijackThis v1.99.1
Scan saved at 8:08:41 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\bcollins\Desktop\popups\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Read By Natural Voice Reader - C:\Program Files\NaturalReaders\Natural Voice Reader Free\read.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Natural Reader - {0DF757C4-9999-463C-A4EB-B6BF1D8D8D3D} - C:\Program Files\NaturalReaders\Natural Voice Reader Free\read.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9A95FE4A-0CD3-4698-A0F4-D2264C6E7046} (HPActiveChat Class) - http://isupport4.hp.com/awebui/jsp/answerweb/applets/ISPEActiveChat.CAB
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

I also wanted to let you know that i leave my machine on all the time, since i've had these popups (whichs appear to be gone) i lose my task bar sometime during the night. i have to reboot to get it back.

 

Have HijackThis fix this & you shall be clean again:

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab


Now that your system is clean, please follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE
   Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.
   
   
   
6. Microsoft Windows Update
   Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
   
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
    
    
    
11. MVPS HOST FILE
    The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• Weather Watcher - Free taskbar weather program that is free, malware free, and resource light.
  
  
• Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

 

Sorry. I did not see your later post about the missing task bar.

Please try this...

Right click on your taskbar & select 'Properties'

Please ensure that these settings are in place:

• Lock taskbar - ticked
• autohide taskbar' - unticked.
• Keep taskbar on top of other windows -ticked

Let me know if that sorts it out