Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New to this board but sure could use some help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New to this board but sure could use some help

Unread postby VVoyager » June 9th, 2006, 7:32 am

Hi folks. Just found this board and sure am glad I did. I have an alert that started popping up a couple of days ago and no matter what I do I can't get rid of it. It is a Hosts File Shield Alert that pops up in Webroot's Spy Sweeper. The message I get is:

"SafeWeb.Com: 204.244.184.143 has been added, but Internet lookup reports 216.131.94.163" and
"SafeWeb.Com: 204.244.184.143 has been added, but Internet lookup reports 81.52.248.177"

I hit the remove button and it seemed to clean it off for about 5 seconds and then it returns.

Here is what I have done so far: went into the Hosts file in Windows\sys32\drivers\etc and added the # in front of the 2 SafeWeb.Com lines. Those two line recreate themselves down below almost instantly. Then added 127.0.0.1 to the lines to point them back at my machine. Same result.
I should mention that I found both these suggestions on line - no way I'm computer smart enough to know that on my own.
Ran HiJack this and tried clean it off that way. Same result. Ran Ad Aware, Bit Defender, a-squared, and TrojanHunter all with the same result. No way to make it stop coming back.
I recently set up a new computer so I've been adding a lot of software to the HD lately but nothing that should include SafeWeb that I am aware of. Anyway, the alert message implies those commands are not linking to the legit web address anyway.
Can't figure where this is coming from or how to get rid of it. Below is my HJT log. Any help is greatly appreciated. I will be unhooking my internet connection for most of the day while I am at work. Not sure if someone has managed to get into my machine but want to be safe. Will be checking back later today.
Thanks for any help.
Tim

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 6:13:00 AM, on 6/9/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files (x86)\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files (x86)\Softwin\BitDefender9\bdmcon.exe
C:\Program Files (x86)\Softwin\BitDefender9\bdoesrv.exe
c:\program files (x86)\softwin\bitdefender9\bdswitch.exe
C:\WINDOWS\system32\SYSWB6.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
c:\program files (x86)\softwin\bitdefender9\bdnagent.exe
C:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SysWOW64\Winkb6.exe
C:\Program Files (x86)\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files (x86)\Softwin\BitDefender9\vsserv.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
D:\My Documents\Tim\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
F2 - REG:system.ini: UserInit=userinit
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 http://WWW.SafeWeb.com
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files (x86)\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files (x86)\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files (x86)\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\SysWOW64\NeroCheck.exe
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files (x86)\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8767173140
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files (x86)\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files (x86)\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
VVoyager
Active Member
 
Posts: 8
Joined: June 9th, 2006, 7:10 am
Location: Kansas
Advertisement
Register to Remove

Unread postby ChrisRLG » June 9th, 2006, 9:22 am

It does look stange.

I do have some questions before a helper gets involved.

Operating system - Win 2003

1. - Is this running as a server.
2. - Is this a 64 bit machine or a 32bit - (what processor chip does it have)

SpySweeper

1. Have you tried disabling this and seeing if HJT can remove (and then keep away).

=================

Some good news - the IP 204.244.184.143

204.244.184.143 = [ ]
OrgName: WesTel Telecommunications
OrgID: WETE
Address: 121 - 949 West 3rd Street
City: North Vancouver
StateProv: BC
PostalCode: V7P-3P7
Country: CA
NetRange: 204.244.0.0 - 204.244.255.255
CIDR: 204.244.0.0/16
NetName: WESTNETBLK
NetHandle: NET-204-244-0-0-1
Parent: NET-204-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.WESTEL.COM
NameServer: NS2.WESTEL.COM
NameServer: CASTOR.TELEGLOBE.NET
NameServer: POLLUX.TELEGLOBE.NET
Comment: ADDRESSES WITHIN THIS NETBLOCK ARE NON-PORTABLE
RegDate: 1994-02-01
Updated: 2005-01-19
RAbuseHandle: ABUSE127-ARIN
RAbuseName: Abuse Complaints
RAbusePhone: 1-877-477-5266
RAbuseEmail: Abuse@navigata.net
RTechHandle: ADMIN11-ARIN
RTechName: Administration
RTechPhone: 1-877-477-5266
RTechEmail: maintenance@navigata.net
OrgAbuseHandle: ABUSE127-ARIN
OrgAbuseName: Abuse Complaints
OrgAbusePhone: 1-877-477-5266
OrgAbuseEmail: Abuse@navigata.net
OrgTechHandle: ADMIN12-ARIN
OrgTechName: Tech
OrgTechPhone: 1-877-477-5266
OrgTechEmail: rcas@navigata.net
ARIN WHOIS database last updated 2006-06-08 19: 10
Enter ? for additional hints on searching ARIN's WHOIS database.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Chris Davis>ping 204.244.184.143

Pinging 204.244.184.143 with 32 bytes of data:

Request timed out.
Request timed out.
Reply from 64.251.87.174: Destination net unreachable.
Request timed out.

Ping statistics for 204.244.184.143:
Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Chris Davis>


So it looks like that IP is not functioning anyway - an unobtainable page is obtained from a browser :) which probably means WesTel have already killed whatever was at the other end.

=============

Give the answers to those questions about your system and I will get one of the helpers to check your system over.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

thanks loads. here's the answers to those questions

Unread postby VVoyager » June 9th, 2006, 5:45 pm

thanks for the info.
the processor is an AMD 64 bit 4200 X2.
it is not running as a server.

i disabled spy sweeper and used HJT to remove the safeweb links and they came right back again.

sure would like to get rid of this. i find it troubling that, while it may come us in text as safeweb.com it points to a different IP address. just don't want someone getting into my machine and using it for whatever.

thanks again for any help you can render.
VVoyager
Active Member
 
Posts: 8
Joined: June 9th, 2006, 7:10 am
Location: Kansas

one other clarification OS is windows XP pro 64x

Unread postby VVoyager » June 9th, 2006, 6:47 pm

know I've said it before but thanks again
VVoyager
Active Member
 
Posts: 8
Joined: June 9th, 2006, 7:10 am
Location: Kansas

Unread postby 'KotaGuy » June 9th, 2006, 7:29 pm

Seems SafeWeb used to be an anonymizing service that was partially funded by the CIA... looks like it was bought out by Symantec in 2003...

http://www.symantec.com/press/2003/n031020.html

Did you install then uninstall any of their products lately?

And these...

C:\WINDOWS\system32\SYSWB6.exe
C:\WINDOWS\SysWOW64\Winkb6.exe
O4 - HKLM\..\Run: [SYSWB6] SYSWB6


WeBlocker Web Filtering softare... You installed this?

How exactly did you disable SpySweeper... follow these instructions to disable it please.

To disable SpySweeper:
  • Open SpySweeper
  • Click Options then Program Options. Uncheck "Load at Windows startup".
  • Click Shields and uncheck all there.
  • Uncheck "Home Page Shield".
  • Uncheck "Automaticly restore default without notifiction".

Once your log is clean you can re-enable SpySweeper.

Run HJT, close all open browsers and windows, then place checks beside the following and fix:

O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 http://WWW.SafeWeb.com


Reboot and post a new HJT log pelase.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

folloew your suggestions but no luck

Unread postby VVoyager » June 9th, 2006, 8:39 pm

I installed WeBlocker. Got a teenage daughter to protect. Used WeBlocker for a couple of years without any problem.

Pretty sure I have never installed and/or uninstalled anything from Symantec.

Followed your instructions on SpySweeper and, after a reboot ran HJT and attempted to clean out those entrys. no luck. they just popped back up after a few seconds.

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:34:00 PM, on 6/9/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files (x86)\Softwin\BitDefender9\bdmcon.exe
C:\Program Files (x86)\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files (x86)\Softwin\BitDefender9\bdswitch.exe
C:\WINDOWS\system32\SYSWB6.exe
C:\Program Files (x86)\Softwin\BitDefender9\bdnagent.exe
C:\WINDOWS\SysWOW64\Winkb6.exe
C:\Program Files (x86)\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files (x86)\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
D:\My Documents\Tim\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
F2 - REG:system.ini: UserInit=userinit
O1 - Hosts: 204.244.184.143 SafeWeb.com
O1 - Hosts: 204.244.184.143 http://WWW.SafeWeb.com
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files (x86)\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files (x86)\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files (x86)\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [SYSWB6] SYSWB6
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files (x86)\Softwin\BitDefender9\bdnagent.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8767173140
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files (x86)\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files (x86)\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)


Appreciate you trying to figure this one out.
VVoyager
Active Member
 
Posts: 8
Joined: June 9th, 2006, 7:10 am
Location: Kansas

Unread postby 'KotaGuy » June 10th, 2006, 1:03 am

OK

Going to get you to do a couple scans to see if we can find something that HJT isn't showing.

Please download WinPFind and extract it to your C:\ drive. This will create a folder called WinPFind in the C:\ drive. Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more. Once its done you can copy/paste the results into a ne notepad document and save it to your Desktop.

Also do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases

  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.


Post the WinPFind log along with the KAV scan log.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

partial success

Unread postby VVoyager » June 10th, 2006, 7:32 pm

kotaguy,
i was able to download and run WinPfind. Results are below.
had a problem when I tried to run the online scan of Kaspersky. After I installed the active x it ran for awhile and then came up with a message saying that the install failed because i had to have administrator rights to download and install active x and it seemed to think I didn't have admin rights. also it said i had to set IE security to medium (where it already was/is).
i went ahead and downloaded and installed the trail version and ran it. results below. let me know if i did something wrong and there is a different approach i should be trying.
I find this whole "not an administrator" troubling.
one other item. i have a folder on my second HD that has popped up and it won't let me in, "System Volume Information." I can get into the same named one on my C drive but the one on my D drive won't let me in. It makes me very uncomfortable not knnowing why I can't get into it or delete it. any thoughts?
i was thinking of installing zonealarm so I could see what was going out to the net from my computer.
one other question, when i ran trojanhunter it found several ports that were open for links that i really didn't want accessing my computer but i have no idea how to shout off those port connections. any idea?
anyway, thanks loads for your advice. wish i knew more about this whole area (although I'm learning).
here is the log from WinPFind:
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 3790
Internet Explorer Version: 6.0.3790.1830

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
aspack 5/26/2005 3:34:52 PM 2297552 C:\WINDOWS\SYSTEM32\d3dx9_26.dll
aspack 7/22/2005 7:59:04 PM 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
PTech 5/17/2006 11:23:38 AM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
aspack 3/25/2005 7:00:00 AM 762880 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 3/25/2005 7:00:00 AM 678912 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 3/25/2005 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/10/2006 5:11:44 AM S 2048 C:\WINDOWS\bootstat.dat
6/7/2006 1:52:44 PM H 54156 C:\WINDOWS\QTFont.qfn
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
5/28/2006 1:35:54 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
5/28/2006 1:35:54 PM RH 0 C:\WINDOWS\assembly\PublisherPolicy.tme
5/28/2006 1:35:54 PM RH 0 C:\WINDOWS\assembly\pubpol1.dat
5/28/2006 2:43:40 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1a.dat
5/28/2006 2:43:42 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\index1b.dat
5/28/2006 4:07:14 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_64\index1b.dat
5/28/2006 4:07:26 PM RH 0 C:\WINDOWS\assembly\NativeImages_v2.0.50727_64\index1c.dat
5/27/2006 12:29:48 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
5/27/2006 12:30:18 PM HS 67 C:\WINDOWS\Fonts\desktop.ini
5/27/2006 12:50:22 PM H 0 C:\WINDOWS\inf\oem5.inf
5/28/2006 10:06:26 AM H 0 C:\WINDOWS\inf\oem9.inf
5/27/2006 12:29:48 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
5/27/2006 12:28:58 PM RHS 791 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
5/27/2006 12:28:58 PM RHS 12355 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
5/27/2006 12:28:58 PM RHS 252017 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
5/27/2006 12:31:02 PM H 241664 C:\WINDOWS\repair\ntuser.dat
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\system32\cdplayer.exe.manifest
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\system32\ncpa.cpl.manifest
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\system32\nwc.cpl.manifest
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\system32\sapi.cpl.manifest
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\system32\wuaucpl.cpl.manifest
6/8/2006 6:00:58 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
5/27/2006 12:29:24 PM RH 0 C:\WINDOWS\system32\Drivers\hfile.txt
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\SysWOW64\cdplayer.exe.manifest
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\SysWOW64\ncpa.cpl.manifest
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\SysWOW64\nwc.cpl.manifest
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\SysWOW64\sapi.cpl.manifest
5/27/2006 12:29:38 PM RH 749 C:\WINDOWS\SysWOW64\wuaucpl.cpl.manifest
6/8/2006 6:00:58 PM H 1024 C:\WINDOWS\SysWOW64\config\systemprofile\ntuser.dat.LOG
5/27/2006 12:29:24 PM RH 0 C:\WINDOWS\SysWOW64\Drivers\hfile.txt
6/10/2006 5:11:44 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 3/25/2005 7:00:00 AM 69120 C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp. 5/18/2005 6:17:54 PM 18726912 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 3/25/2005 7:00:00 AM 479744 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 112128 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 126976 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 366080 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 135168 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 189952 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 656384 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 55808 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 258560 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 115712 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 301056 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 3/25/2005 7:00:00 AM 94720 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
5/27/2006 12:31:00 PM HS 84 C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
5/27/2006 7:18:24 AM HS 62 C:\Documents and Settings\All Users.WINDOWS\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
5/27/2006 12:31:00 PM HS 84 C:\Documents and Settings\Administrator.HENTSCHELS\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
5/27/2006 7:18:24 AM HS 62 C:\Documents and Settings\Administrator.HENTSCHELS\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files (x86)\Softwin\BitDefender9\bdshelxt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\syswow64\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\syswow64\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~2\TROJAN~1.5\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files (x86)\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\syswow64\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{D653647D-D607-4df6-A5B8-48D2BA195F7B}
= C:\Program Files (x86)\Softwin\BitDefender9\bdshelxt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\a2ContMenu
{AB77609F-2178-4E6F-9C4B-44AC179D937A} = C:\PROGRA~2\A-SQUA~1\A2CONT~1.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BitDefender Antivirus v8
{D653647D-D607-4DF6-A5B8-48D2BA195F7B} = C:\Program Files (x86)\Softwin\BitDefender9\bdshelxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~2\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~2\TROJAN~1.5\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{D653647D-D607-4df6-A5B8-48D2BA195F7B}
= C:\Program Files (x86)\Softwin\BitDefender9\bdshelxt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{EB4D3CFE-E2AA-4C6E-B2FE-2A749F95D208}
= C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\syswow64\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~2\TROJAN~1.5\contmenu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = C:\Program Files (x86)\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\syswow64\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\syswow64\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\syswow64\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\syswow64\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7D4D6379-F301-4311-BEBA-E26EB0561882}
= C:\Program Files (x86)\Common Files\Ahead\lib\NeroDigitalExt.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\SysWOW64\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\SysWOW64\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\SysWOW64\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\SysWOW64\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\syswow64\SHELL32.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
BDMCon "C:\Program Files (x86)\Softwin\BitDefender9\bdmcon.exe"
BDOESRV "C:\Program Files (x86)\Softwin\BitDefender9\bdoesrv.exe"
BDSwitchAgent "c:\program files (x86)\softwin\bitdefender9\bdswitch.exe"
SYSWB6 SYSWB6
BDNewsAgent "c:\program files (x86)\softwin\bitdefender9\bdnagent.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
NoAddingComponents 1
NoComponents 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoActiveDesktop 1
NoActiveDesktopChanges 1
ForceActiveDesktopOn 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~2\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
scforceoption 0
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\syswow64\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\syswow64\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\SysWOW64\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\SysWOW64\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit
Shell = Explorer.exe
System = lsass.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy
= dimsntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\EFS
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs sockspy.dll


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/10/2006 5:22:05 AM


Log from the Karpensky scan. Only thing i noticed was some entries in the last column finding a few corrupt files.

Total 175492 0 0 0 0 1970 428 76 3
System Memory 702 0 0 0 0 1 0 0 0
Startup Objects 285 0 0 0 0 2 3 0 0
System Restore 27864 0 0 0 0 307 50 0 1
Mailboxes 145 0 0 0 0 66 0 0 0
All Hard Drives 146461 0 0 0 0 1593 375 76 2
All Removable Drives 35 0 0 0 0 1 0 0 0

Let me know what you think and if I can do anything else.
Again, thanks loads.
VVoyager
Active Member
 
Posts: 8
Joined: June 9th, 2006, 7:10 am
Location: Kansas

Unread postby 'KotaGuy » June 10th, 2006, 11:44 pm

Ok... WinPFind log is clean...

had a problem when I tried to run the online scan of Kaspersky. After I installed the active x it ran for awhile and then came up with a message saying that the install failed because i had to have administrator rights to download and install active x and it seemed to think I didn't have admin rights. also it said i had to set IE security to medium (where it already was/is).
i went ahead and downloaded and installed the trail version and ran it. results below. let me know if i did something wrong and there is a different approach i should be trying.
I find this whole "not an administrator" troubling.


Not sure what caused this... I am assuming your account has Admin rights... could be a conflict between your 64bit architecture and the online scanner somewhere... might have just been a hiccup with their scanner.

one other item. i have a folder on my second HD that has popped up and it won't let me in, "System Volume Information." I can get into the same named one on my C drive but the one on my D drive won't let me in. It makes me very uncomfortable not knnowing why I can't get into it or delete it. any thoughts?


System Volume Information folders hold the data for the System Restore function... which is why it won't let you delete it... nothing to worry about there.

Try this for me please...

Download The Hoster. Extract and run it. Then click on "Restore Original Hosts". Close the program when complete.

Reboot and post a new HJT log.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

that might have finally got it

Unread postby VVoyager » June 11th, 2006, 7:43 am

ran hoster but those entries popped right back. then i got wondering about weblocker so i removed we blocker and then ran hoster again. finally no more safe web entries.
here is my newest hjt log. looks to me like we finally got this one sorted out.
thanks sooooooooo much for your help. i might reinstall we blocker now but at least i won't be wondering all the time what that entry is doing to my computer.
one question on installation volume drive. why would i be able to get into the installation volume drive on C but not the one on D? any ideas?
anyway thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 6:42:47 AM, on 6/11/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files (x86)\Softwin\BitDefender9\bdoesrv.exe
C:\Program Files (x86)\Softwin\BitDefender9\bdswitch.exe
C:\Program Files (x86)\Softwin\BitDefender9\bdnagent.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files (x86)\Softwin\BitDefender9\vsserv.exe
c:\program files (x86)\softwin\bitdefender9\bdmcon.exe
D:\My Documents\Tim\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
F2 - REG:system.ini: UserInit=userinit
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files (x86)\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files (x86)\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "c:\program files (x86)\softwin\bitdefender9\bdswitch.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "c:\program files (x86)\softwin\bitdefender9\bdnagent.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files (x86)\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8767173140
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files (x86)\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
VVoyager
Active Member
 
Posts: 8
Joined: June 9th, 2006, 7:10 am
Location: Kansas

Unread postby 'KotaGuy » June 11th, 2006, 2:17 pm

Fix this line as well...

O4 - Startup: PowerReg Scheduler V3.exe

Reboot and post a new HJT log.

one question on installation volume drive. why would i be able to get into the installation volume drive on C but not the one on D? any ideas?


I'm assuming you meant the System Volume Information folders and not the installation volume drive?

Its a permissions thing... you would need to Take Ownership of the folder and give yourself access to it.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

you are right

Unread postby VVoyager » June 11th, 2006, 4:13 pm

i meant system volume information. how does one "take ownership" of a folder? i'm just uncomfortable not being able to see everything on my discs.
here is the latest HJT log taken after i eliminated the powerreg scheduler
thanks again for all your help.

Logfile of HijackThis v1.99.1
Scan saved at 3:08:53 PM, on 6/11/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files (x86)\Softwin\BitDefender9\bdmcon.exe
C:\Program Files (x86)\Softwin\BitDefender9\bdoesrv.exe
c:\program files (x86)\softwin\bitdefender9\bdswitch.exe
c:\program files (x86)\softwin\bitdefender9\bdnagent.exe
C:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files (x86)\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files (x86)\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files (x86)\Softwin\BitDefender9\vsserv.exe
D:\My Documents\Tim\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6711
F2 - REG:system.ini: UserInit=userinit
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files (x86)\Softwin\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files (x86)\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files (x86)\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files (x86)\Softwin\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files (x86)\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8767173140
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: EFS - C:\WINDOWS\SYSTEM32\sclgntfy.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files (x86)\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files (x86)\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files (x86)\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
VVoyager
Active Member
 
Posts: 8
Joined: June 9th, 2006, 7:10 am
Location: Kansas

Unread postby 'KotaGuy » June 11th, 2006, 6:53 pm

Your HJT log is now clean :)

Though you really shouldn't mess with the SVI folders... you can follow the instructions here to access them.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada

thanks loads

Unread postby VVoyager » June 11th, 2006, 8:14 pm

don't plan to do any messing with the the SVI folder but do want to know how to access it.
thanks again. :D
VVoyager
Active Member
 
Posts: 8
Joined: June 9th, 2006, 7:10 am
Location: Kansas

Unread postby 'KotaGuy » June 11th, 2006, 8:16 pm

No problem... some preventative suggestions...

If you don't have them, download Ad-Aware and Spybot S&D. Visit this page for proper configuration of Spybot and Ad-Aware. Run and scan with both, letting them fix whatever they find. Remember to reboot between each scan.

I recommend downloading and installing SpywareBlaster, SpywareGuard, and IE-SPYAD as well. The programs are free and can be updated... so please do so. Installing these will go a long way in preventing reinfection.

If you don't have one, I recommend installing a Firewall. I'm sure you've heard of ZoneAlarm.

Check out these links How'd I get Infected and Understanding Spyware as well, some good information for you.

Other than that, remember to update Windows frequently, update your protection programs, scan often and...

Surf Safe!
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 41 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware