WinFixer/ISearch and Start > Run > CMD Issue (HJT log)

I have a Start > Run > CMD issue described in http://www.windowsbbs.com/showthread.php?t=65317 and apparently have WinFixer/ISearch malware indicated by a recent Spybot Search & Destroy log:

C:\WINDOWS\Temp\~wa6psetup.exe is infected with WinFixer
C:\WINDOWS\Temp\NI.UWA6P_0001_N91M1807\setup.exe is infected with WinFixer
C:\WINDOWS\Sm9obiBNYXRoZXdz\mA6Cv21hsrlCtrxW.vbs is infected with Spyware.ISearch
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll is infected with WinFixer
C:\Documents and Settings\john\My Documents\My Videos\reference.exe is infected with Adware.Starware
==========

This is the latest hijackthis file:

Logfile of HijackThis v1.99.1
Scan saved at 1:16:22 PM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\john\My Documents\hijack this\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigblueheaven.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138381294296
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://63.241.168.237/ecwplugins/ncs.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/accommodations/surround/MSSurVid.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E596DF5F-4239-4D40-8367-EBADF0165917} - http://privacyprotector.com/.freeware/cab/installprivacyprotector.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

 

edit
I see Tony has already posted info re: spywarebot, but I'm leaving what I wrote as well

Hi Bubba,

It appears that you have installed a less-than-desirable application instead of Spybot Search and Destroy. SpywareBot is on the list of rogue antispyware applications.

http://www.spywarewarrior.com/rogue_anti-spyware.htm

First, download ATF Cleaner by Atribune from the following link, saving it to your desktop.

Open Add/Remove Programs in the Control Panel, then remove SpywareBot. Reboot if prompted.

Now Start ATF Cleaner. Click Select All, then Empty Selected. Exit ATF cleaner and reboot when it completes.

Using Internet Explorer, go to Panda ActiveScan << right click that link and select 'Add to Favorites'

• Once you are on the Panda site click the Scan your PC now button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select Home User
• Select No to recieving marketing information
• Click the Free Online Scan button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When the download is complete, click on the My Computer icon to start the scan
• When the scan completes, click the See Report button, then Save Report and save it to a convenient location such as your desktop

Post the contents of the ActiveScan report along with a fresh HJT log.

 

Forgot to mention previously .......... you are running both Avast and AVG antivirus programs. Not recommended to run two, as they will often interfere with each others performance. I recommend you uninstall one of those as well.

 

Thanks for the responses, I quickly realized that I had installed the wrong anti spyware program and installed the right one. My new problem that I found just a few minutes ago is a Trojan downloader and I need to know how to get rid of it. The program I used, Kaskersky apparently just scans.

Trojan-Downloader.Win32.Adload.jm

 

I cannot tell you how to rid your computer of anything without knowing the name and location of the infected file(s). Please post a scan log. A Kaspersky scan log will suffice for now, but I'd still like the Panda scan completed and report posted.

 

The Panda search showed I had a virus and disinfected it. The report I have just shows spyware. I am also posting the hijackthis log.

Incident Status Location

Spyware:Cookie/DelfinMedia Not disinfected C:\Deckard\System Scanner\20070619005435\backup\DOCUME~1\john\LOCALS~1\Temp\Cookies\john@delfinproject[2].txt
Spyware:Cookie/Go Not disinfected C:\Deckard\System Scanner\20070619005435\backup\DOCUME~1\john\LOCALS~1\Temp\Cookies\john@go[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Deckard\System Scanner\20070619005435\backup\DOCUME~1\john\LOCALS~1\Temp\Cookies\john@www.winantivirus[2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Deckard\System Scanner\20070619005435\backup\WINDOWS\temp\Cookies\john@www.winantivirus[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\john\Cookies\john@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\john\Cookies\john@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\john\Cookies\john@advertising[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\john\Cookies\john@bluestreak[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\john\Cookies\john@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\john\Cookies\john@burstnet[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\john\Cookies\john@ccbill[1].txt
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\john\Cookies\john@counter.hitslink[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\john\Cookies\john@go[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\john\Cookies\john@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\john\Cookies\john@overture[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\john\Cookies\john@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\john\Cookies\john@questionmarket[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\john\Cookies\john@server.iad.liveperson[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\john\Cookies\john@statse.webtrendslive[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\john\Cookies\john@target[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\john\Cookies\john@toplist[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\john\Cookies\john@www.burstbeacon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\john\Cookies\john@xiti[1].txt
Spyware:Spyware/New Not disinfected C:\Documents and Settings\john\My Documents\My Pictures\hangman.exe
Adware:Adware/Comet Not disinfected C:\Documents and Settings\john\My Documents\My Videos\reference.exe[ "Starware.dll"]
Potentially unwanted tool:Application/WinFixer2006 Not disinfected C:\Program Files\Common Files\Companion Wizard\WapCHK.dll
Adware:Adware/Mytoolbar Not disinfected C:\RECYCLER\S-1-5-21-1715567821-343818398-839522115-1004\Dc1.exe
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\keyboard1.dat
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Sm9obiBNYXRoZXdz\mA6Cv21hsrlCtrxW.vbs
Potentially unwanted tool:Application/RealSpy Not disinfected C:\WINDOWS\system32\actskn45.ocx

Logfile of HijackThis v1.99.1
Scan saved at 10:35:50 AM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\john\My Documents\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigblueheaven.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Freecell Solitaire - http://presence.games.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138381294296
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://63.241.168.237/ecwplugins/ncs.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebase/AxisCamControl.ocx
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://www.homesteadhotels.com/minisite/accommodations/surround/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E596DF5F-4239-4D40-8367-EBADF0165917} - http://privacyprotector.com/.freeware/cab/installprivacyprotector.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

 

Scan again with HijackThis. Place a check next to the following entry, then click Fix Checked.

O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

Close HijackThis.

Open C:\Program Files and delete the SpywareBot folder if present.

Open Internet Options in the Control Panel. Click Delete Cookies. Note that this will delete all cookies, including the ones set by this forum and possibly other sites, that allow automatic login.

Open My Computer and right click Local Disk C:, then select properties. Click Disk Cleanup. Once disk cleanup is done calculating, a dialog box will open. Check all boxes and click OK. Wait for it to complete.

Click here (link removed ..... noahdfear) to download bubbafix.exe, a self-extracting exe which contains a batch I wrote to remove the rogue files and gather some information. Save it to your desktop. Double click bubbafix.exe, then click Start to extract the file to the desktop. Double click bubbafix.bat and wait for it to complete. Log.txt will be created on the desktop and open when done. Post the contents of that log.

 

Thanks guys, I'll try and get this done. BTW, I removed spywarebot after I realized it wasn't the right one.

 

OK, I did all of that and here is the Bubbfix log:

C:\WINDOWS\keyboard1.dat deleted
C:\WINDOWS\system32\actskn45.ocx deleted
C:\Program Files\Common Files\Companion Wizard deleted
C:\WINDOWS\Sm9obiBNYXRoZXdz not deleted
C:\Documents and Settings\john\My Documents\My Pictures\hangman.exe deleted
C:\Documents and Settings\john\My Documents\My Videos\reference.exe deleted

Windows directory com files



System32 com files


chcp.com
cmd.com
command.com
diskcomp.com
diskcopy.com
edit.com
format.com
graftabl.com
graphics.com
kb16.com
loadfix.com
mode.com
more.com
ping.com
tasklist.com
tracert.com
tree.com
win.com


 

Not to worry, Tony ........ it's already gone

Bubba,

Click here to download EMCO MoveOnBoot. Save it to the desktop, then run the setup to install. If it opens a web page, just close it. Run the program when setup is complete.

Click the Delete Actions button and select Delete Folder. Use the browse button to the right of the window to select the following folder, then click OK.

C:\Windows\Sm9obiBNYXRoZXdz

It should now show on the main window, Action to DELETE FOLDER ON NEXT REBOOT

Click Delete Actions button again, then select Delete File(s). Browse to and select the following file, then click OK.

C:\Windows\system32\cmd.com

The file and path should now be displayed in the main window and show Action to DELETE FILE ON NEXT BOOT


Now close MoveOnBoot and restart your computer.

Upon restart, see if the folder was removed (C:\Windows\Sm9obiBNYXRoZXdz) and if cmd from the run line works as it should.

Screenshots of MoveOnBoot


removed instructions indicating path and filenames could be typed in

 

Thanks, I'll give it a try.

 

This doesn't seem to be working like you said. After clicking on delete actions and then folders, it won't allow me to type in the windows address you mentioned and there isn't a browse box to click on.

 

Sorry ...... not sure why I was thinking you could type it in. The browse button is a small button to the bottom right of the window with 3 periods on it.

 

OK, I'll check it out.

 

The first file mentioned isn't in my windows folder, hence I can't select it.

 

It is a folder, not a file.

You may need to have hidden files and folders showing. Open My Computer and click Tools on the menu, then Folder Options. Click the view tab, then scroll down and select 'show hidden files and folders'. Click OK and try using MoveOnBoot again.

 

I need to get some sleep ......... will check back with you tomorrow

 

Me too.