Hey guys, I've recently been having a few problems with my system as a whole, and think I might be infected with something rather odd. No matter what programs I'm using, just a couple of minutes into using them I'll get the Microsoft error window that gives you the option to Send Error Report or Don't Send, so I can't actually use anything unless I drag these error windows to the side. I've scanned with Housecall and Avast, both of which say I'm clean, and I've done scans with Adaware and Spybot which seems to have got rid of the spy and adware but the problem still persists. Weirdly enough, whenever I'm in normal mode of Windows, the .exe files for Spybot and Avast mysteriously delete themselves as soon as the programs are installed. I was only able to scan by going through safe mode. If anyone has absolutely any idea what on earth might be happening here I'd be extremely grateful for any opinions! Many thanks, Ralph

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed. Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum. Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly. Then run this free online scan from Panda When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.

Have done the Hijackthis scan (pasted below), but when I tried to get onto the Panda scan I repeatedly kept getting DNS errors. I'll keep trying though and post the result as soon as I can get onto it. Many thanks! Ralph Logfile of HijackThis v1.99.1 Scan saved at 01:12:24, on 03/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\PROGRA~1\MOZILL~2\FIREFOX.exe C:\WINDOWS\system32\dwwin.exe C:\My Documents\Hijackthis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{CF357901-4912-4FA0-8269-8E2E29F48061}: NameServer = 194.106.56.6 194.106.33.42 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

bad one: O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll pre-read: beagle pending ... 6B 69 6C 72 6F 79 20 77 61 73 20 68 65 72 65

Please download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ We will need it later in safe mode Download Ewido Security Suite then set it up this way Ewido Setup Instructions We will need this later in safe mode Download killbox to your desktop from this link Killbox We will need it later in safe mode Next follow these directions to reboot into safe mode Safe Mode Run Ewido from safe mode and let it delete what it finds. Run ATF-Cleaner from safe mode. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Run Ht from safe mode, close all windows except HT, place a check to the left of the following item and press "fix checked": O20 - Winlogon Notify: ldr64 - C:\WINDOWS\SYSTEM32\ldr64.dll Exit Hijack This While still in safe mode run killbox. Double-click on Killbox.exe to run it. Put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time. Click on the button that has the red circle with the X in the middle after you enter each file. C:\WINDOWS\SYSTEM32\ldr64.dll It will ask for confimation to delete the file. Click Yes. Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box. Please post a new HT log and see if you can run the Panda scan. If not try Kaspersky's scanner. Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html Click Accept When the updates are finished downloading, click Next, Scan Settings Under Scan using the following antivirus database:, select extended Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK Click My Computer and wait for the scan to finish Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

hi there, sorry for the delay, but thank you so much for the help! the error messages seemed to have stopped, but here is an updated ht log and the log from the panda scan - Logfile of HijackThis v1.99.1 Scan saved at 00:03:08, on 04/05/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\PROGRA~1\MICROS~4\rapimgr.exe C:\WINDOWS\system32\NOTEPAD.exe C:\My Documents\Hijackthis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.exe /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU\..\Run: [drvsyskit] C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\hidires\hidr.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\ewido anti-malware\ewidoctrl.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe panda Incident Status Location Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Hector\Cookies\hector@banner[1].txt Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Hector\Cookies\hector@xiti[1].txt Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Hector\Cookies\hector@xmts[1].txt Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Ralph\Application Data\Mozilla\Firefox\Profiles\ah2vw8ft.default\cookies.txt[.xmts.net/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.as-us.falkag.net/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.as-us.falkag.net/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.maxserving.com/] Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.888.com/] Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.adopt.hbmediapro.com/] Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.anm.co.uk/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.atwola.com/] Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.bravenet.com/] Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.seeq.com/] Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.xiti.com/] Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[.xmts.net/] Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[landing.domainsponsor.com/] Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ralph.RALPH-A5EC5F197\Application Data\Mozilla\Firefox\Profiles\mm78ntyo.default\cookies.txt[searchportal.information.com/] i did a scan with the kapersky scanner and saved a log, but i have no idea where it's gone, so hopefully this will tell enough. many thanks again! ralph

Looks good to me, glad we could help. Panda is just picking up cookies. An ewido scan will normally remove them.