Hi, Thank you for helping me with this problem. Lately, I have been having a lot of pop-ups while surfing the internet. It does not happen on any of the other computers on my network. Norton 360 also has been acting up saying that there is a threat but when I do a system scan, nothing shows up. I can give you a HJT log if you want. Thanks for your help.

Please download Malwarebytes' Anti-Malware from one of these sites: MalwareBytes1 MalwareBytes2 1. Double Click mbam-setup.exe to install the application. 2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. 3. If an update is found, it will download and install the latest version. 4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient. 5. When the scan is complete, click OK, then Show Results to view the results. 6. Make sure that everything found is checked, and click Remove Selected. 7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately. 8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 9. Copy&Paste the entire report in your next reply. Please download and install the latest version of HijackThis v2.0.2: Download the "HijackThis" Installer from this link: Hijack This 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. If you have trouble installing or running MalwareBytes or Hijack This do the following: If you got them downloaded rename the setup file then try installing them again. Right click the mbam-setup.exe file> click rename> rename it something.exe then try to run it. If it installed but will not run navigate to this folder: C:\Programs Files\Malwarebytes' AntiMalware Rename the mbam.exe file then try to run it again, if still no luck rename all the .exe files in the MAlwarebytes' Anti-Malware folder and try to run it again. For Hijack This rename the Hijack This.exe file to something else and try installing it again.

Thanks for helping me. The Malwarebytes log is: Malwarebytes' Anti-Malware 1.30 Database version: 1414 Windows 5.1.2600 Service Pack 3 11/21/2008 1:54:28 PM mbam-log-2008-11-21 (13-54-28).txt Scan type: Quick Scan Objects scanned: 59200 Time elapsed: 5 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 4 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 9 Files Infected: 39 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Program Files\Mozilla Firefox\components\srff.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\winetn32.dll (Dialer) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7954b91-5d12-418f-bd80-a67c2ebf83e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f7954b91-5d12-418f-bd80-a67c2ebf83e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winetn32 (Dialer) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: C:\WINDOWS\mslagent (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\Inet Delivery (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\OINAnalytics (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Start Menu\Programs\Outerinfo (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Application Data\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Application Data\Gool (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\qjtzrd.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Program Files\Mozilla Firefox\components\srff.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\b103.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Program Files\Common Files\Yazzle3090OinUninstaller.exe (Adware.ClickSpring) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Local Settings\Temp\44.exe (Trojan.BHO) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Local Settings\Temp\gettpa421.exe (Adware.ClickSpring) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Local Settings\Temp\__40.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\ZGA89TLY\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\mslagent\2_mslagent.dll (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\mslagent\mslagent.exe (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\WINDOWS\mslagent\uninstall.exe (Adware.EGDAccess) -> Quarantined and deleted successfully. C:\Program Files\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\Inet Delivery\inetdl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\Inet Delivery\intdel.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\Program Files\OINAnalytics\OINAnalytics1.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\Program Files\OINAnalytics\Uninstall.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Start Menu\Programs\Outerinfo\Uninstall.lnk (Malware.Trace) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Application Data\speedrunner\SpeedRunner.exe (Adware.SurfAccuracy) -> Quarantined and deleted successfully. C:\WINDOWS\system32\winetn32.dll (Dialer) -> Delete on reboot. C:\WINDOWS\a.bat (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\base64.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\userconfig9x.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\winsystem.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zip1.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zip2.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zip3.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\zipped.tmp (Fake.Dropped.Malware) -> Quarantined and deleted successfully. C:\WINDOWS\bdn.com (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\iTunesMusic.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\mssecu.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wineil32.dll (Dialer) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Desktop\Real Music Ringtones.url (Rogue.Link) -> Quarantined and deleted successfully. C:\Documents and Settings\guest1\Desktop\Internet Security Suite.url (Rogue.Link) -> Quarantined and deleted successfully. HJT log is: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2:00:57 PM, on 11/21/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\hphmon06.exe C:\WINDOWS\AGRSMMSG.exe C:\WINDOWS\SOUNDMAN.exe C:\WINDOWS\system32\ps2.exe C:\WINDOWS\ALCWZRD.exe C:\WINDOWS\ALCMTR.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Electronic Arts\EADM\Core.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T... R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T... R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.co... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win... O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.exe O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 7577 bytes If you see anything that might have caused identity theft or something of that nature, please let me know so I know to be extra careful when I review my bills. Thanks again for your help.

Please download ComboFix to the desktop from one of the following links: Link1 Link 2 Link 3 Combofix is a powerful tool so follow the instructions exactly or you could damage your computer. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results". Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. In your case to run Combofix do the following: 1. Go offline turn off your Nortons antivirus, AD-Aware and any other antispyware that you may have. 2. Run Combofix and save its log. 3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned. 4. Post the Combofix log. Remember to re-enable the protection again afterwards before connecting to the Internet. Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running or move the mouse, it will cause your system to hang.) Please post the log it produces.

Here is the combofix log. Thanks for your help! ComboFix 08-11-21.03 - HP_Owner 2008-11-21 17:09:16.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.668 [GMT -6:00] Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\guest1\Local Settings\Temporary Internet Files\bestwiner.stt c:\documents and settings\guest1\Local Settings\Temporary Internet Files\CPV.stt c:\windows\crosof~1 c:\windows\crosof~1\regsvr32.exe c:\windows\system32\BdNWayay.ini c:\windows\system32\BdNWayay.ini2 c:\windows\system32\NVCKRXyb.ini c:\windows\system32\NVCKRXyb.ini2 c:\windows\ystem3~1 c:\windows\ystem3~1\iexplore.exe D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2008-10-21 to 2008-11-21 ))))))))))))))))))))))))))))))) . 2008-11-21 12:08 . 2008-11-21 12:08 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2008-11-21 12:08 . 2008-11-21 12:08 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\Malwarebytes 2008-11-21 12:08 . 2008-11-21 12:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-11-21 12:08 . 2008-10-22 16:28 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2008-11-21 12:08 . 2008-10-22 16:28 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2008-11-20 13:09 . 2008-11-20 13:09 <DIR> d-------- c:\program files\Trend Micro 2008-11-16 20:23 . 2008-11-17 19:56 484 --a------ c:\windows\eReg.dat 2008-11-16 17:50 . 2008-11-16 20:35 <DIR> d-------- C:\HEGames 2008-11-16 17:50 . 2008-11-18 18:49 573 --a------ c:\windows\hegames.ini 2008-11-12 07:24 . 2008-10-24 05:21 455,296 --a--c--- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-12 07:23 . 2008-09-04 11:15 1,106,944 --a--c--- c:\windows\system32\dllcache\msxml3.dll 2008-11-02 19:09 . 2008-11-02 19:09 <DIR> d-------- C:\ProgramData 2008-11-02 19:09 . 2008-11-02 19:11 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\SPORE 2008-11-02 19:08 . 2008-11-02 19:08 1,216 --a------ c:\windows\system32\ealregsnapshot1.reg 2008-10-31 19:53 . 2008-10-31 19:53 <DIR> d--hs---- c:\windows\ftpcache 2008-10-24 06:02 . 2008-10-15 10:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-22 14:05 . 2008-10-22 14:05 <DIR> d-------- c:\program files\OverDrive Media Console 2008-10-22 14:05 . 2008-10-22 14:05 <DIR> d-------- c:\documents and settings\HP_Owner\Application Data\OverDrive . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-21 23:13 --------- d-----w c:\program files\Common Files\Symantec Shared 2008-11-20 18:30 --------- d-----w c:\documents and settings\HP_Owner\Application Data\AdobeUM 2008-11-17 02:51 --------- d-----w c:\documents and settings\All Users\Application Data\rohmdung 2008-11-06 12:29 --------- d-----w c:\program files\Norton 360 2008-11-03 01:09 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-03 01:09 --------- d-----w c:\program files\Electronic Arts 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-18 18:48 --------- d-----w c:\documents and settings\HP_Owner\Application Data\InstallShield 2008-10-18 12:26 --------- d-----w c:\documents and settings\HP_Owner\Application Data\ICAClient 2008-10-15 12:17 --------- d-----w c:\program files\Common Files\Adobe 2008-10-15 01:59 --------- d-----w c:\documents and settings\HP_Owner\Application Data\OpenOffice.org 2008-10-15 01:56 --------- d-----w c:\program files\OpenOffice.org 3 2008-10-15 01:56 --------- d-----w c:\program files\JRE 2008-10-15 01:56 --------- d-----w c:\program files\Java 2008-10-15 01:39 --------- d-----w c:\program files\Microsoft Works 2008-10-15 01:36 --------- d-----w c:\program files\Citrix 2008-10-14 21:42 --------- d-----w c:\program files\Easy Internet signup 2008-10-14 21:37 --------- d-----w c:\program files\MSN Messenger 2008-10-14 21:30 --------- d-----w c:\program files\Yahoo! 2008-10-14 15:37 --------- d-----w c:\program files\Symantec 2008-10-14 15:36 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF 2008-10-14 15:36 123,952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS 2008-10-14 15:36 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT 2008-10-14 15:33 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec 2008-10-14 00:22 --------- d--h--r c:\documents and settings\HP_Owner\Application Data\SecuROM 2008-10-13 22:56 --------- d-----w c:\documents and settings\HP_Owner\Application Data\Symantec 2008-10-13 22:32 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft 2008-10-13 22:31 --------- d-----w c:\program files\Lavasoft 2008-10-13 22:31 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2008-10-13 21:46 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-10-13 21:26 --------- d-----w c:\program files\Windows Sidebar 2008-10-13 19:41 3,885 ----a-w c:\windows\viassary-hp.reg 2008-10-13 19:35 4,204 --sha-r c:\windows\system32\drivers\HP_PP179AA-ABA A867C_YC_Pavi_QMXR515_E44NAheBLU5_4_IGrouper_SASUSTeK Computer INC._V1.xx_B3.18_T050216_WXH2_L409_M1016_J250_7Intel_8Pentium 4_93.4_111063044_N10EC8139_P_Z11C1048C_K_A_U80862658_G80862582.MRK 2008-10-13 19:00 --------- d-----w c:\program files\Microsoft AntiSpyware 2008-10-10 21:52 --------- d-----w c:\program files\GameSpy 2008-10-10 21:42 --------- d-----w c:\documents and settings\guest1\Application Data\InstallShield 2008-10-09 01:53 --------- d-----w c:\documents and settings\guest1\Application Data\IUpd721 2008-10-08 21:21 --------- d-----w c:\program files\bcdavh 2008-10-05 12:48 --------- d-----w c:\documents and settings\guest1\Application Data\Yahoo! 2008-10-05 01:20 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2008-10-02 02:52 --------- d-----w c:\documents and settings\guest1\Application Data\My Games 2008-10-02 02:41 --------- d-----w c:\program files\Firaxis Games 2008-10-01 17:20 --------- d-----w c:\documents and settings\guest1\Application Data\MSNInstaller 2008-10-01 15:55 --------- d-----w c:\documents and settings\guest1\Application Data\AdobeUM 2008-09-28 23:42 --------- d-----w c:\program files\Common Files\AOL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded] @="{4433A54A-1AC8-432F-90FC-85F045CF383C}" [HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}] 2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending] @="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}" [HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}] 2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected] @="{476D0EA3-80F9-48B5-B70B-05E677C9C148}" [HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}] 2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-20 118784] "HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-07 659456] "Recguard"="c:\windows\SMINST\RECGUARD.exe" [2004-04-14 233472] "PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920] "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048] "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-20 155648] "AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 c:\windows\AGRSMMSG.exe] "SoundMan"="SOUNDMAN.EXE" [2004-07-01 c:\windows\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2004-07-06 c:\windows\ALCWZRD.EXE] [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk backup=c:\windows\pss\Updates from HP.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp] --a------ 2008-10-17 14:52 51048 c:\program files\Common Files\Symantec Shared\CCAPP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core] --a------ 2008-07-21 14:07 2752512 c:\program files\Electronic Arts\EADM\Core.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06] --a------ 2004-06-07 19:53 49152 c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2004-04-21 19:28 286720 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD] --a------ 2003-02-11 21:02 61440 c:\hp\KBD\kbd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)] --a------ 2008-09-19 16:34 4347120 c:\program files\Yahoo!\Messenger\YahooMessenger.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr] --a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder] --a------ 2003-12-18 00:31 118784 c:\windows\CREATOR\Remind_XP.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2004-08-07 13:36 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2004-08-07 15:03 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "aawservice"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"= "c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"= "c:\\WINDOWS\\system32\\winver.exe"= R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352] S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888] *Newly Created Service* - COMHOST . - - - - ORPHANS REMOVED - - - - HKLM-Run-VTTimer - VTTimer.exe MSConfigStartUp-IS CfgWiz - c:\program files\Common Files\Symantec Shared\cfgwiz.exe MSConfigStartUp-NAV CfgWiz - c:\program files\Common Files\Symantec Shared\CfgWiz.exe MSConfigStartUp-SSC_UserPrompt - c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe . ------- Supplementary Scan ------- . FireFox -: Profile - c:\documents and settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\yw7k78gy.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - google.com FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-21 17:13:48 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . r Running Proce . c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe c:\windows\system32\HPZipm12.exe c:\windows\system32\wscntfy.exe c:\windows\system32\verclsid.exe . ************************************************************************** . Completion time: 2008-11-21 17:15:45 - machine was rebooted [HP_Owner] ComboFix-quarantined-files.txt 2008-11-21 23:15:41 Pre-Run: 214,916,063,232 bytes free Post-Run: 214,985,252,864 bytes free 227 --- E O F --- 2008-11-13 12:05:18

Your java is out of date and may have been exploited. Download the latest version of java from this link Java Click on the JRE 6 Update 10 download button. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed Then from your desktop double-click on jre-6u10-windows-i586-p.exe to install the newest version. Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX KILLALL:: Folder:: c:\documents and settings\guest1\Application Data\IUpd721 c:\program files\bcdavh XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop. Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run". Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Download ATF Cleaner from this link: http://www.majorgeeks.com/ATF_Cleaner_d4949.html Run ATF-Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Please run Esets online scanner from this link: ESET 1. Note: You will need to use Internet explorer for this scan 2. Tick the box next to YES, I accept the Terms of Use. 3. Click Start 4. When asked, allow the activex control to install 5. Click Start 6. Make sure that the option Remove found threats is unticked ( Iwant to see what is found first), and the option Scan unwanted applications is checked 7. Click Scan 8. Wait for the scan to finish 9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt 10. Copy and paste that log in your next reply.

The log for ESET: # version=4 # OnlineScanner.ocx=1.0.0.56 # OnlineScannerDLLA.dll=1, 0, 0, 51 # OnlineScannerDLLW.dll=1, 0, 0, 51 # OnlineScannerUninstaller.exe=1, 0, 0, 49 # vers_standard_module=3632 (20081121) # vers_arch_module=1.064 (20080214) # vers_adv_heur_module=1.066 (20070917) # EOSSerial=76b70393cd313b4d9b4d2eab33ed6af2 # end=finished # remove_checked=false # unwanted_checked=true # utc_time=2008-11-22 08:46:37 # local_time=2008-11-22 02:46:37 (-0600, Central Standard Time) # country="United States" # osver=5.1.2600 NT Service Pack 3 # scanned=609491 # found=2 # scan_time=6113 C:\Qoobox\Quarantine\C\WINDOWS\CROSOF~1\regsvr32.exe.vir probably a variant of Win32/Adware.PurityScan application 30AAB2155B1D9092CC523B7EFB8FD64A C:\Qoobox\Quarantine\C\WINDOWS\YSTEM3~1\iexplore.exe.vir probably a variant of Win32/Adware.PurityScan application 30AAB2155B1D9092CC523B7EFB8FD64A