winantivirus popups....

Hey everyone, this is my first post, and this seems like a decent MB so hopefully someone will be able to help me out.

I started having problems about a month ago, they have been tolerable, but just downright annoying. Initially the popups were confined to just IE, but then they found their way into Firefox. At one stage, they were popping up and bringing up messages and lots of annoying things, akin to this page http://en.wikipedia.org/wiki/WinFixer

In the past few days I've been looking round online for a way to get rid of these. I ran scans in Windows Defender, Spybot S&D, AD-AWARE SE and Norton Anti-virus. Some of them found the problems, but none could fix them. My Bit Defender log is here, but bear in mind some of this may be inaccurate due to the work I've done as outlined below. http://www.redbrick.dcu.ie/~pubsoc/2005/other/bdscan.html .

I then went and got a cracked version of Spy Sweeper, and it managed to find the culprits as evidenced by the log here:

[SIZE= "1"]11:05: Removal process completed. Elapsed time 00:00:34
11:05: Quarantining All Traces: maxifiles
11:05: Quarantining All Traces: trojan agent winlogonhook
11:05: Quarantining All Traces: adperform
11:05: Quarantining All Traces: virtumonde
11:05: Removal process initiated
11:04: Traces Found: 47
11:04: Full Sweep has completed. Elapsed time 00:14:53
11:04: File Sweep Complete, Elapsed Time: 00:13:34
11:04: Warning: Failed to access drive E:
11:04: Warning: Failed to access drive D:
11:03: printhook030.dll (ID = 356091)
11:03: pvmodule.exe (ID = 356093)
10:58: services.dll (ID = 320790)
10:58: Found Adware: maxifiles
10:51: printview (6 subtraces) (ID = 2147531721)
10:51: Starting File Sweep
10:51: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:51: Starting Cookie Sweep
10:51: Registry Sweep Complete, Elapsed Time:00:00:15
10:51: HKU\S-1-5-21-1078081533-152049171-1060284298-1004\software\printview\ (ID = 1701420)
10:51: HKLM\software\classes\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704202)
10:51: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704193)
10:51: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4e0c464-30ce-4075-9a10-71fd106c2847}\ (ID = 1701537)
10:51: HKLM\software\classes\typelib\{24723349-c5c0-44c2-837d-84250e6b2a12}\ (ID = 1701527)
10:51: HKLM\software\classes\printviewbho class\ (ID = 1701524)
10:51: HKLM\software\classes\printviewbar.printviewbho.1\ (ID = 1701520)
10:51: HKLM\software\classes\printviewbar.printviewbho\ (ID = 1701519)
10:51: HKLM\software\classes\printview.printviewbarh.1\ (ID = 1701515)
10:51: HKLM\software\classes\printview.printviewbarh\ (ID = 1701509)
10:51: HKLM\software\classes\printview.printviewbar.1\ (ID = 1701505)
10:51: HKLM\software\classes\printview.printviewbar\ (ID = 1701499)
10:51: HKLM\software\classes\printview.csinstallinformation_pv.1\ (ID = 1701495)
10:51: HKLM\software\classes\printview.csinstallinformation_pv\ (ID = 1701489)
10:51: HKLM\software\classes\clsid\{d4e0c464-30ce-4075-9a10-71fd106c2847}\ (ID = 1701477)
10:51: HKLM\software\classes\clsid\{90fe6c53-f8b4-4631-b42a-02d63d1c949c}\ (ID = 1701461)
10:51: HKLM\software\classes\clsid\{51c5191a-9880-442f-897b-e96987522fbc}\ (ID = 1701440)
10:51: HKLM\software\classes\clsid\{10add1e8-ec8a-4719-b39d-b46dd1d6a65d}\ (ID = 1701424)
10:51: HKCR\typelib\{24723349-c5c0-44c2-837d-84250e6b2a12}\ (ID = 1701410)
10:51: HKCR\printviewbho class\ (ID = 1701407)
10:51: HKCR\printviewbar.printviewbho.1\ (ID = 1701403)
10:51: HKCR\printviewbar.printviewbho\ (ID = 1701402)
10:51: HKCR\printview.printviewbarh.1\ (ID = 1701398)
10:51: HKCR\printview.printviewbarh\ (ID = 1701392)
10:51: HKCR\printview.printviewbar.1\ (ID = 1701388)
10:51: HKCR\printview.printviewbar\ (ID = 1701382)
10:51: HKCR\printview.csinstallinformation_pv.1\ (ID = 1701378)
10:51: HKCR\printview.csinstallinformation_pv\ (ID = 1701372)
10:51: HKCR\clsid\{d4e0c464-30ce-4075-9a10-71fd106c2847}\ (ID = 1701360)
10:51: HKCR\clsid\{90fe6c53-f8b4-4631-b42a-02d63d1c949c}\ (ID = 1701344)
10:51: HKCR\clsid\{51c5191a-9880-442f-897b-e96987522fbc}\ (ID = 1701323)
10:51: HKCR\clsid\{10add1e8-ec8a-4719-b39d-b46dd1d6a65d}\ (ID = 1701307)
10:51: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
10:51: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
10:51: HKLM\software\microsoft\mssmgr\ (ID = 937101)
10:51: Found Trojan Horse: trojan agent winlogonhook
10:51: Starting Registry Sweep
10:51: Memory Sweep Complete, Elapsed Time: 00:00:57
10:50: Detected running threat: PRINTH~1.DLL (ID = 356091)
10:50: Found Adware: adperform
10:50: Starting Memory Sweep
10:50: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\inprocserver32\ (ID = 1728503)
10:50: Found Adware: virtumonde
10:50: Sweep initiated using definitions version 782
10:50: Spy Sweeper 5.0.7.1608 started
10:50: | Start of Session, 15 October 2006 |
********
10:50: | End of Session, 15 October 2006 |
10:49: Program Version 5.0.7.1608 Using Spyware Definitions 782
10:49: Spy Sweeper 5.0.7.1608 started
10:49: | Start of Session, 15 October 2006 |
********
[/SIZE]​

I thought this would have solved the problem, but a pretty harmless popup window (no javascript messages pop up now, just the window which can be closed). It also used to prevent me from typing into fields in webpages once it had popped up, but this problem no longer exists.

So the basic fact is that something is still remaining, and while it's not that malicious or annoying at present, I'm just concerned that it could turn very messy again.

Here's my current hijackthis log (and yes I did rename it to something other than hijackthis.exe).

[SIZE= "1"]Logfile of HijackThis v1.99.1
Scan saved at 15:11:59, on 15/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox 2 beta\Mozilla Firefox 2 Beta 2\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\SPYWARE REMOVAL\hijackthis\jackme.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\pgemydpg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A10A7C5C-D5D3-4F6F-B5C9-96951D41F321} - C:\WINDOWS\Config\svsnifo.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] "C:\PROGRA~1\SYMNET~1\SNDMon.exe" /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: svsnifo - C:\WINDOWS\Config\svsnifo.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winfzj32 - winfzj32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[/size]​

Any ideas or tips on what I could get rid of here would be great. Many thanks everyone and keep up the good work.

 

Hello and welcome to WindowsBBS Forums.

Yes, Vundo can be a stubborn bugger for just about all a-s apps. Lets run Vundo Fix and see what it finds.

Please download VundoFix.exe to your desktop.

• Double-click *VundoFix.exe* to run it.
• Click the *Scan for Vundo* button.
• Once it's done scanning, click the *Remove Vundo* button.
• You will receive a prompt asking if you want to remove the files, click *YES*
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click *OK*.
• Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

 

Thanks TeMerc, that managed to do the trick! What a handy little tool. Hopefully things will stay pretty OK now too. Presumably no one spots anything malicious in this log?

[SIZE= "1"][FONT= "arial"]Logfile of HijackThis v1.99.1
Scan saved at 23:34:04, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox 2 beta\Mozilla Firefox 2 Beta 2\firefox.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\wheatln2\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\wheatln2\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\wheatln2\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\DOCUME~1\wheatln2\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\WinSCP\WinSCP3.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Program Files\SPYWARE REMOVAL\hijackthis\jackme.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\pgemydpg.dll (file missing)
O2 - BHO: (no name) - {4386D028-52E1-4B33-88B7-9003C8FF0166} - C:\WINDOWS\Config\svsnifo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe "
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371050.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winfzj32 - winfzj32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[/FONT][/SIZE]

 

Did you happen to save the Vundo log? Would like to see it if possible, thanks.

Still have a few items to remove tho, but they should go easily.



Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}


O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\pgemydpg.dll (file missing)

O2 - BHO: (no name) - {4386D028-52E1-4B33-88B7-9003C8FF0166} - C:\WINDOWS\Config\svsnifo.dll (file missing)


O20 - Winlogon Notify: winfzj32 - winfzj32.dll (file missing)


Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\system32\pgemydpg.dll <<<--this file
C:\WINDOWS\Config\svsnifo.dll<<<--this file
winfzj32.dll <<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

 

Hi TeMerc, it appears to be gone now, though I have thought that in the past and they've come back. Here's the current logs (incidentally once I followed your steps in the last post and ran new searches, nothing new other than a tracking cookie showed up).


Here's the new hijackthis log:

[SIZE= "1"]Logfile of HijackThis v1.99.1
Scan saved at 10:12:22, on 18/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Mozilla Firefox 2 beta\Mozilla Firefox 2 Beta 2\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\SPYWARE REMOVAL\hijackthis\jackme.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe "
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner371050.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\SPYWARE REMOVAL\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[/SIZE]



Here's the vundofix log:

[SIZE= "1"]
VundoFix V6.2.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 02:54:23 16/10/2006

Listing files found while scanning....

C:\WINDOWS\system32\ormcaytv.exe
C:\WINDOWS\Config\svsnifo.dll
C:\WINDOWS\Config\ofinsvs.ini
C:\WINDOWS\Config\ofinsvs.bak1
C:\WINDOWS\Config\ofinsvs.bak2
C:\WINDOWS\Config\ofinsvs.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ormcaytv.exe
C:\WINDOWS\system32\ormcaytv.exe Has been deleted!

Attempting to delete C:\WINDOWS\Config\svsnifo.dll
C:\WINDOWS\Config\svsnifo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\Config\ofinsvs.ini
C:\WINDOWS\Config\ofinsvs.ini Has been deleted!

Attempting to delete C:\WINDOWS\Config\ofinsvs.bak1
C:\WINDOWS\Config\ofinsvs.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\Config\ofinsvs.bak2
C:\WINDOWS\Config\ofinsvs.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\Config\svsnifo.dll
C:\WINDOWS\Config\svsnifo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.2.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 12:41:26 16/10/2006

Listing files found while scanning....

C:\WINDOWS\Config\svsnifo.dll
C:\WINDOWS\Config\ofinsvs.ini
C:\WINDOWS\Config\ofinsvs.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\Config\svsnifo.dll
C:\WINDOWS\Config\svsnifo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\Config\ofinsvs.ini
C:\WINDOWS\Config\ofinsvs.ini Has been deleted!

Attempting to delete C:\WINDOWS\Config\ofinsvs.bak2
C:\WINDOWS\Config\ofinsvs.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\Config\svsnifo.dll
C:\WINDOWS\Config\svsnifo.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 21:55:44 17/10/2006

Listing files found while scanning....


VundoFix V6.2.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 00:10:08 18/10/2006

Listing files found while scanning....

No infected files were found.

[/SIZE]




And here's the spy sweeper log (includes all the searches since Sunday:

[SIZE= "1"]01:18: Traces Found: 2
01:18: Full Sweep has completed. Elapsed time 01:08:37
01:18: File Sweep Complete, Elapsed Time: 01:05:58
01:05: Warning: Failed to access drive E:
01:05: Warning: Failed to access drive D:
00:12: Starting File Sweep
00:12: Cookie Sweep Complete, Elapsed Time: 00:00:00
00:12: wheatln2@msnportal.112.2o7[1].txt (ID = 1958)
00:12: Found Spy Cookie: 2o7.net cookie
00:12: wheatln2@ad.yieldmanager[1].txt (ID = 3751)
00:12: Found Spy Cookie: yieldmanager cookie
00:12: Starting Cookie Sweep
00:12: Registry Sweep Complete, Elapsed Time:00:00:13
00:12: Starting Registry Sweep
00:12: Memory Sweep Complete, Elapsed Time: 00:02:08
00:10: Starting Memory Sweep
00:10: Sweep initiated using definitions version 783
00:10: Spy Sweeper 5.0.7.1608 started
00:10: | Start of Session, 18 October 2006 |
********
00:10: | End of Session, 18 October 2006 |
00:09: Program Version 5.0.7.1608 Using Spyware Definitions 783
22:41: Traces Found: 2
22:41: Full Sweep has completed. Elapsed time 00:42:45
22:41: File Sweep Complete, Elapsed Time: 00:40:18
22:31: Warning: Failed to access drive E:
22:31: Warning: Failed to access drive D:
22:01: Starting File Sweep
22:01: Cookie Sweep Complete, Elapsed Time: 00:00:00
22:01: wheatln2@msnportal.112.2o7[1].txt (ID = 1958)
22:01: Found Spy Cookie: 2o7.net cookie
22:01: wheatln2@ad.yieldmanager[1].txt (ID = 3751)
22:01: Found Spy Cookie: yieldmanager cookie
22:01: Starting Cookie Sweep
22:01: Registry Sweep Complete, Elapsed Time:00:00:12
22:00: Starting Registry Sweep
22:00: Memory Sweep Complete, Elapsed Time: 00:01:21
21:59: Starting Memory Sweep
21:58: Sweep initiated using definitions version 783
21:58: Spy Sweeper 5.0.7.1608 started
21:58: | Start of Session, 17 October 2006 |
********
21:58: | End of Session, 17 October 2006 |
21:58: Program Version 5.0.7.1608 Using Spyware Definitions 783
21:56: Program Version 5.0.7.1608 Using Spyware Definitions 782
11:13: | End of Session, 15 October 2006 |
11:12: Common Ad Sites Shield: On
11:12: Keylogger Shield: On
11:12: IE Tracking Cookies Shield: On
Keylogger Shield: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: Off
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
11:11: Shield States
11:11: Spyware Definitions: 782
11:11: Spy Sweeper 5.0.7.1608 started
10:50: | End of Session, 15 October 2006 |
10:49: Program Version 5.0.7.1608 Using Spyware Definitions 782
10:49: Spy Sweeper 5.0.7.1608 started
10:49: | Start of Session, 15 October 2006 |
********
11:05: Removal process completed. Elapsed time 00:00:34
11:05: Quarantining All Traces: maxifiles
11:05: Quarantining All Traces: trojan agent winlogonhook
11:05: Quarantining All Traces: adperform
11:05: Quarantining All Traces: virtumonde
11:05: Removal process initiated
11:04: Traces Found: 47
11:04: Full Sweep has completed. Elapsed time 00:14:53
11:04: File Sweep Complete, Elapsed Time: 00:13:34
11:04: Warning: Failed to access drive E:
11:04: Warning: Failed to access drive D:
11:03: printhook030.dll (ID = 356091)
11:03: pvmodule.exe (ID = 356093)
10:58: services.dll (ID = 320790)
10:58: Found Adware: maxifiles
10:51: printview (6 subtraces) (ID = 2147531721)
10:51: Starting File Sweep
10:51: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:51: Starting Cookie Sweep
10:51: Registry Sweep Complete, Elapsed Time:00:00:15
10:51: HKU\S-1-5-21-1078081533-152049171-1060284298-1004\software\printview\ (ID = 1701420)
10:51: HKLM\software\classes\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704202)
10:51: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\ (ID = 1704193)
10:51: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{d4e0c464-30ce-4075-9a10-71fd106c2847}\ (ID = 1701537)
10:51: HKLM\software\classes\typelib\{24723349-c5c0-44c2-837d-84250e6b2a12}\ (ID = 1701527)
10:51: HKLM\software\classes\printviewbho class\ (ID = 1701524)
10:51: HKLM\software\classes\printviewbar.printviewbho.1\ (ID = 1701520)
10:51: HKLM\software\classes\printviewbar.printviewbho\ (ID = 1701519)
10:51: HKLM\software\classes\printview.printviewbarh.1\ (ID = 1701515)
10:51: HKLM\software\classes\printview.printviewbarh\ (ID = 1701509)
10:51: HKLM\software\classes\printview.printviewbar.1\ (ID = 1701505)
10:51: HKLM\software\classes\printview.printviewbar\ (ID = 1701499)
10:51: HKLM\software\classes\printview.csinstallinformation_pv.1\ (ID = 1701495)
10:51: HKLM\software\classes\printview.csinstallinformation_pv\ (ID = 1701489)
10:51: HKLM\software\classes\clsid\{d4e0c464-30ce-4075-9a10-71fd106c2847}\ (ID = 1701477)
10:51: HKLM\software\classes\clsid\{90fe6c53-f8b4-4631-b42a-02d63d1c949c}\ (ID = 1701461)
10:51: HKLM\software\classes\clsid\{51c5191a-9880-442f-897b-e96987522fbc}\ (ID = 1701440)
10:51: HKLM\software\classes\clsid\{10add1e8-ec8a-4719-b39d-b46dd1d6a65d}\ (ID = 1701424)
10:51: HKCR\typelib\{24723349-c5c0-44c2-837d-84250e6b2a12}\ (ID = 1701410)
10:51: HKCR\printviewbho class\ (ID = 1701407)
10:51: HKCR\printviewbar.printviewbho.1\ (ID = 1701403)
10:51: HKCR\printviewbar.printviewbho\ (ID = 1701402)
10:51: HKCR\printview.printviewbarh.1\ (ID = 1701398)
10:51: HKCR\printview.printviewbarh\ (ID = 1701392)
10:51: HKCR\printview.printviewbar.1\ (ID = 1701388)
10:51: HKCR\printview.printviewbar\ (ID = 1701382)
10:51: HKCR\printview.csinstallinformation_pv.1\ (ID = 1701378)
10:51: HKCR\printview.csinstallinformation_pv\ (ID = 1701372)
10:51: HKCR\clsid\{d4e0c464-30ce-4075-9a10-71fd106c2847}\ (ID = 1701360)
10:51: HKCR\clsid\{90fe6c53-f8b4-4631-b42a-02d63d1c949c}\ (ID = 1701344)
10:51: HKCR\clsid\{51c5191a-9880-442f-897b-e96987522fbc}\ (ID = 1701323)
10:51: HKCR\clsid\{10add1e8-ec8a-4719-b39d-b46dd1d6a65d}\ (ID = 1701307)
10:51: HKLM\software\classes\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697697)
10:51: HKCR\clsid\{b7672baf-e9a3-49b6-86b2-c81719a18a4c}\ (ID = 1697618)
10:51: HKLM\software\microsoft\mssmgr\ (ID = 937101)
10:51: Found Trojan Horse: trojan agent winlogonhook
10:51: Starting Registry Sweep
10:51: Memory Sweep Complete, Elapsed Time: 00:00:57
10:50: Detected running threat: PRINTH~1.DLL (ID = 356091)
10:50: Found Adware: adperform
10:50: Starting Memory Sweep
10:50: HKCR\clsid\{849b9523-785f-4014-9caf-079fb4a74c61}\inprocserver32\ (ID = 1728503)
10:50: Found Adware: virtumonde
10:50: Sweep initiated using definitions version 782
10:50: Spy Sweeper 5.0.7.1608 started
10:50: | Start of Session, 15 October 2006 |
********
15:11: Warning: A required privilege is not held by the client
Operation: File Access
Target:
Source: C:\PROGRA~1\NORTON~1\NAVW32.EXE
13:11: Tamper Detection
12:42: None
12:42: Traces Found: 0
12:42: Full Sweep has completed. Elapsed time 01:29:30
12:42: File Sweep Complete, Elapsed Time: 01:26:31
11:57: Warning: Failed to access drive E:
11:57: Warning: Failed to access drive D:
11:15: Starting File Sweep
11:15: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:15: Starting Cookie Sweep
11:15: Registry Sweep Complete, Elapsed Time:00:00:13
11:15: Starting Registry Sweep
11:15: Memory Sweep Complete, Elapsed Time: 00:02:30
11:13: Starting Memory Sweep
11:13: Sweep initiated using definitions version 782
11:13: Spy Sweeper 5.0.7.1608 started
11:13: | Start of Session, 15 October 2006 |
********
[/SIZE]


Thanks to everyone for their help so far, it's much appreciated!

 

Very good, all appears to be well, let me know if anything should reoccur. I'll leave this thread open for a couple of days to be on the safe side.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

 

Wow temerc, that's what I call a comprehensive post, many thanks for everything. I have done most of the work in my own account, so will go into administrator and run the apps from in there too to see if anything changes occur.

Thanks again,
nigel