looking for HJT log Spyware/Adware removal help.

Shorerider · 2006/10/01

http://www.windowsbbs.com/showthread.php?t=58176

I'm after some help with spyware. Could someone check out my HJT log?

So here is the log file.

Logfile of HijackThis v1.99.1
Scan saved at 8:27:08 PM, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\sumsw32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\The Cauchi's\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - C:\WINDOWS\questmod.dll (file missing)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll (file missing)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe "
O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TeMerc · 2006/10/01

Hi and welcome to the forums.

Seems like we need to remove a few items here and there.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

Next I'd like to get an online scan and then also run Ewido before we get to fixing things with HJT.

Go to this page, Panda ActiveScan

Click the 'Scan your PC' button. ( You may have to disable any pop up blockers)

Then press the green 'Check Now' button.

Enter your country and state along with a valid email address.

Allow the ActiveX install, it may be a few minutes for all components. (For XP SP 2 watch for the yellow bar at the top of IE)

Once installation is complete you will need to select a device to scan. Please select 'My Computer' and the scan will begin.

Once the scan is done, click the 'See report' button, then the 'save report' button. Be sure to save the log file created in a place easy for you to find.

(Please edit out all references to cookies)

Then download Ewido Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.

Once the setup is complete you will need run ewido and update the definition files.

On the main screen select the icon "Update" then select the "Update now" link.

Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".

Under "Reports "

Select "Automatically generate report after every scan "

Un-Select "Only if threats were found "

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:

Launch ewido-anti-spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".

ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:

If you have any infections you will prompted, then select "Apply all actions "

Next select the "Reports" icon at the top.

Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.(Please edit out any cookie references)

Once both the above have been completed, post both logs here(cookie references edited) then run HijackThis! and give me a new log.

Shorerider · 2006/10/01

Panda Active Scan log

Incident Status Location

Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
Adware:adware/alexa-toolbar Not disinfected c:\windows\system32\alxres.dll
Adware:adware/admess Not disinfected c:\windows\system32\wstart.dll
Adware:adware/topspyware Not disinfected c:\windows\system32\txfdb32.dll
Adware:adware/antivirus-gold Not disinfected c:\windows\system32\runsrv32.exe
Adware:adware/superspider Not disinfected c:\windows\system32\a.exe
Spyware:spyware/bridge Not disinfected c:\windows\system32\bridge.dll
Adware:adware/dailytoolbar Not disinfected c:\windows\system32\dailytoolbar.dll
Adware:adware/cashdeluxe Not disinfected c:\windows\system32\winapi32.dll
Adware:adware/secure32 Not disinfected c:\program files\secure32.html
Adware:adware/vog Not disinfected c:\program files\internet explorer\winbrume.dat
Adware:adware/thespyguard Not disinfected c:\windows\yod.htm
Spyware:spyware/betterinet Not disinfected c:\windows\susp.exe
Adware:adware/transponder Not disinfected c:\windows\dlmax.dll
Adware:adware/btgrab Not disinfected c:\windows\BTGrab.dll
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyWebSearch
Adware:adware/comet Not disinfected c:\program files\Comet
Potentially unwanted tool:application/funweb Not disinfected c:\program files\FunWebProducts
Potentially unwanted tool:application/antispywaresoldier Not disinfected hkey_current_user\software\ADV
Dialer:dialer.ap Not disinfected hkey_current_user\software\Holistyc
Adware:adware/ist.istbar Not disinfected Windows Registry
Spyware:spyware/dluca Not disinfected Windows Registry
Dialer:dialer.du Not disinfected hkey_classes_root\clsid\{7B55BB05-0B4D-44fd-81A6-B136188F5DEB}
Potentially unwanted tool:application/altnet Not disinfected hkey_classes_root\clsid\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}
Adware:adware/dollarrevenue Not disinfected Windows Registry
Spyware:spyware/petro-line Not disinfected Windows Registry
Spyware:spyware/surfsidekick Not disinfected Windows Registry
Adware:adware/fastvideoplayer Not disinfected Windows Registry
Adware:adware/sbsoft Not disinfected Windows Registry
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Adware:adware/wupd Not disinfected Windows Registry
Dialer:dialer.cn Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{511F9316-771B-4953-A268-1C36DA667FE9}
Dialer:dialer.bb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0191ABF4-9421-435E-9FFD-CD827A2A82D8}
Virus:Trj/Gagar.P Disinfected C:\WINDOWS\system32\ifgwezhf.exe
C:\Documents and Settings\The Cauchi's\Cookies\the cauchi's@fastclick[6].txt
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\The Cauchi's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv514.jar-660bc3a5-60c20bb0.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\The Cauchi's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv514.jar-660bc3a5-60c20bb0.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\The Cauchi's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv652.jar-21a93260-299a028d.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\The Cauchi's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv652.jar-21a93260-299a028d.zip[Dummy.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\The Cauchi's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv469.jar-124dd1db-7821597b.zip[Matrix.class]
Hacktool:Exploit/ByteVerify Not disinfected C:\Documents and Settings\The Cauchi's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv469.jar-124dd1db-7821597b.zip[Dummy.class]
Potentially unwanted tool:Application/PSkill.M Not disinfected C:\Documents and Settings\Owner\My Documents\Antispyware Soldier\pkill.exe
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWay\myBar\1.bin\NPMYWAY.DLL
Adware:Adware/Comet Not disinfected C:\Program Files\Comet\Data\csres.dat

Shorerider · 2006/10/01

Ewido Report-Scan log

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:39:31 PM 10/2/2006

+ Scan result:

HKLM\SOFTWARE\Alexa Internet -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AlxTB.BHO -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\PopMenu.Menu -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Popup.PopupKiller -> Adware.Alexa : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CLSID -> Adware.Altnet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CurVer -> Adware.Altnet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047226.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047248.exe -> Adware.BHO : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\jao.jao -> Adware.BlazeFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BHO.CSBHO -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BHO.CSBHO.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BHO.CSBHO\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BHO.CSBHO\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBRange.ByteRange -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBRange.ByteRange.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBRange.ByteRange\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBRange.ByteRange\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBand.HorizontalIEBand -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBand.HorizontalIEBand.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBand.HorizontalIEBand\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBand.HorizontalIEBand\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBand.VerticalIEBand -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBand.VerticalIEBand.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBand.VerticalIEBand\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSBand.VerticalIEBand\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.CSEngine -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.CSEngine.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.CSEngine\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.CSEngine\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.CSHost -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.CSHost.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.CSHost\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.CSHost\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.EvHandler -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.EvHandler.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.EvHandler\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSEng.EvHandler\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSCollection -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSCollection.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSCollection\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSCollection\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSIPDispatch -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSIPDispatch.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSIPDispatch\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSIPDispatch\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSIPPacket -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSIPPacket.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSIPPacket\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSIP.CSIPPacket\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSSecurity.HTMLSecurity -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSSecurity.HTMLSecurity.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSSecurity.HTMLSecurity\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CSSecurity.HTMLSecurity\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ComUtil.FCParam -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ComUtil.FCParam.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ComUtil.FCParam\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ComUtil.FCParam\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ComUtil.FctCall -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ComUtil.FctCall.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ComUtil.FctCall\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ComUtil.FctCall\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CometAppUtil.CometUIEvents -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CometAppUtil.CometUIEvents.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CometAppUtil.CometUIEvents\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CometAppUtil.CometUIEvents\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CometIEToolbar.CometToolbar -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CometIEToolbar.CometToolbar.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CometIEToolbar.CometToolbar\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CometIEToolbar.CometToolbar\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.CSRegExp -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.CSRegExp.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.CSRegExp\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.CSRegExp\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.ContextProxy -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.ContextProxy.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.ContextProxyMgr -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.ContextProxyMgr.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.ContextProxyMgr\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.ContextProxyMgr\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.ContextProxy\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.ContextProxy\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.URLContextParser -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.URLContextParser.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.URLContextParser\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ContextParser.URLContextParser\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.BHO1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.BHO1.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.BHO1\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.BHO1\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.BrowserAppProxy -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.BrowserAppProxy.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.BrowserAppProxy\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.BrowserAppProxy\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CS15Cursor -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CS15Cursor.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CS15Cursor\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CS15Cursor\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometCursor -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometCursor.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometCursor\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometCursor\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometFrame -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometFrame.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometFrame\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometFrame\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometWindow -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometWindow.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometWindow\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.CometWindow\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.FileInfo -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.FileInfo.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.FileInfo\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.FileInfo\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.HttpComm -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.HttpComm.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.HttpComm\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.HttpComm\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.MyBrowser1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.MyBrowser1.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.MyBrowser1\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.MyBrowser1\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.SelfUpdater -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.SelfUpdater.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.SelfUpdater\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.SelfUpdater\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.System -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.System.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.System\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.System\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.WindowProxy -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.WindowProxy.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.WindowProxy\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Core.WindowProxy\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMProxy.DMProxyCtl.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMServer.DMNotify -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMServer.DMNotify.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMServer.DMNotify\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DMServer.DMNotify\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Puk.PukBHO -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Puk.PukBHO.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Puk.PukBHO\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Puk.PukBHO\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.ActiveWindow -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.ActiveWindow.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.ActiveWindow\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.ActiveWindow\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.CSkinUI -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.CSkinUI.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.CSkinUI\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.CSkinUI\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.WebBrowserSink -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.WebBrowserSink.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.WebBrowserSink\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.WebBrowserSink\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.WindowsHelper -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.WindowsHelper.1 -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.WindowsHelper\CLSID -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SkinUI.WindowsHelper\CurVer -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cc2k -> Adware.CometCursor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\DailyToolbar.DLL -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DailyToolbar.IEBand -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DailyToolbar.SysMgr -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\IEToolbar.AffiliateCtl -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\NIX Solutions -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\NIX Solutions\DailyToolbar -> Adware.DailyToolbar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{F1FABE79-25FC-46de-8C5A-2C6DB9D64333} -> Adware.Generic : Cleaned with backup (quarantined).

Shorerider · 2006/10/01

Ewido Report-Scan log continued......

HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\ADV -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\IST -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\RespondMiter -> Adware.VX2 : Cleaned with backup (quarantined).
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Holistyc -> Dialer.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Holistyc\Amateur Movies-1221 -> Dialer.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Holistyc\Hardcore Movies-1093 -> Dialer.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Holistyc\Shortcuts -> Dialer.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047240.exe -> Downloader.Adload.aq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047227.exe -> Downloader.Agent.akj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047249.exe -> Downloader.Agent.akj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047250.exe -> Downloader.Delf.ang : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047230.exe -> Downloader.Small.cjk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047231.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047245.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047247.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047232.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047234.exe -> Downloader.Small.dbx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP677\A0047530.exe -> Downloader.Small.dkt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047238.exe -> Downloader.VB.aan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047246.exe -> Downloader.VB.aeq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP675\A0047417.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP675\A0047418.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} -> Hijacker.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\The Cauchi's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv469.jar-124dd1db-7821597b.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
C:\Documents and Settings\The Cauchi's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv514.jar-660bc3a5-60c20bb0.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
C:\Documents and Settings\The Cauchi's\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv652.jar-21a93260-299a028d.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047239.dll -> Not-A-Virus.Hoax.Win32.VB.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047241.exe -> Not-A-Virus.Hoax.Win32.VB.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047242.exe -> Trojan.Regger.s : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP638\A0045179.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047228.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047229.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047235.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047236.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047237.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047243.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3D0AB8C8-E7E6-4A23-B5FE-79EBC9A1C860}\RP671\A0047244.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

Shorerider · 2006/10/01

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 1:37:17 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\sumsw32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bigpond.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
O2 - BHO: (no name) - {00000000-59D4-4008-9058-080011001200} - (no file)
O2 - BHO: (no name) - {00000000-C1EC-0345-6EC2-4D0300000000} - (no file)
O2 - BHO: (no name) - {00000000-F09C-02B4-6EC2-AD0300000000} - (no file)
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll (file missing)
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7b55bb05-0b4d-44fd-81a6-b136188f5deb} - C:\WINDOWS\questmod.dll (file missing)
O2 - BHO: (no name) - {8333c319-0669-4893-a418-f56d9249fca6} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll (file missing)
O2 - BHO: (no name) - {9c691a33-7dda-4c2f-be4c-c176083f35cf} - (no file)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O2 - BHO: (no name) - {e52dedbb-d168-4bdb-b229-c48160800e81} - (no file)
O2 - BHO: (no name) - {ffd2825e-0785-40c5-9a41-518f53a8261f} - (no file)
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe "
O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [Adware.Srv32] C:\WINDOWS\system32\runsrv32.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TeMerc · 2006/10/02

Ok, interesting log there from Ewido, did you have the scan settings correctly applied, because it looks as if it only searched the registry. It should have found all the files that Panda found.

Now from reading your first post in the other thread, it looks like you're infected with a SmithFraud variant, Anti-Spyware Soldier to be exact, so lets run the SmithFraud fix. The first part is below.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.

Shorerider · 2006/10/02

SmitFraudFix Report.

OK. I'm sure I followed your instructions as carefully as I could. If you need me to do it again I will.

Thank's heaps for this. I really appreciate it.

Here is the SmitfraudFix Report;

SmitFraudFix v2.104

Scan done at 2:23:53.18, Tue 10/03/2006
Run from C:\HJT\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\uniq FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\adware-sheriff-box.gif FOUND !
C:\WINDOWS\adware-sheriff-header.gif FOUND !
C:\WINDOWS\alexaie.dll FOUND !
C:\WINDOWS\alxie328.dll FOUND !
C:\WINDOWS\alxtb1.dll FOUND !
C:\WINDOWS\antispylab-logo.gif FOUND !
C:\WINDOWS\blue-bg.gif FOUND !
C:\WINDOWS\BTGrab.dll FOUND !
C:\WINDOWS\buy-now-btn.gif FOUND !
C:\WINDOWS\close-bar.gif FOUND !
C:\WINDOWS\corner-left.gif FOUND !
C:\WINDOWS\corner-right.gif FOUND !
C:\WINDOWS\dlmax.dll FOUND !
C:\WINDOWS\facts.gif FOUND !
C:\WINDOWS\footer.giff FOUND !
C:\WINDOWS\free-scan-btn.gif FOUND !
C:\WINDOWS\h-line-gradient.gif FOUND !
C:\WINDOWS\header-bg.gif FOUND !
C:\WINDOWS\infected.gif FOUND !
C:\WINDOWS\info.gif FOUND !
C:\WINDOWS\no-icon.gif FOUND !
C:\WINDOWS\Pynix.dll FOUND !
C:\WINDOWS\reg-freeze-box.gif FOUND !
C:\WINDOWS\reg-freeze-header.gif FOUND !
C:\WINDOWS\remove-spyware-btn.gif FOUND !
C:\WINDOWS\spyware-sheriff-header.gif FOUND !
C:\WINDOWS\spyware-sheriff-box.gif FOUND !
C:\WINDOWS\star.gif FOUND !
C:\WINDOWS\star-grey.gif FOUND !
C:\WINDOWS\susp.exe FOUND !
C:\WINDOWS\true-stories.gif FOUND !
C:\WINDOWS\warning-bar-ico.gif FOUND !
C:\WINDOWS\win-sec-center-logo.gif FOUND !
C:\WINDOWS\windows-compatible.gif FOUND !
C:\WINDOWS\yes-icon.gif FOUND !
C:\WINDOWS\yod.htm FOUND !
C:\WINDOWS\ZServ.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\a.exe FOUND !
C:\WINDOWS\system32\alxres.dll FOUND !
C:\WINDOWS\system32\bridge.dll FOUND !
C:\WINDOWS\system32\CWS_iestart.exe FOUND !
C:\WINDOWS\system32\dailytoolbar.dll FOUND !
C:\WINDOWS\system32\jao.dll FOUND !
C:\WINDOWS\system32\lfd.dat FOUND !
C:\WINDOWS\system32\mirarsearch_toolbar.exe FOUND !
C:\WINDOWS\system32\oiso.bin FOUND !
C:\WINDOWS\system32\questmod.dll FOUND !
C:\WINDOWS\system32\runsrv32.dll FOUND !
C:\WINDOWS\system32\runsrv32.exe FOUND !
C:\WINDOWS\system32\sumsw32.exe FOUND !
C:\WINDOWS\system32\tcpservice2.exe FOUND !
C:\WINDOWS\system32\txfdb32.dll FOUND !
C:\WINDOWS\system32\udpmod.dll FOUND !
C:\WINDOWS\system32\users32.exe FOUND !
C:\WINDOWS\system32\winapi32.dll FOUND !
C:\WINDOWS\system32\wstart.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Cauchi's

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\The Cauchi's\Application Data

C:\Documents and Settings\The Cauchi's\Application Data\Microsoft\Internet Explorer\Quick Launch\Antispyware Soldier.lnk FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\THECAU~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\secure32.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

TeMerc · 2006/10/02

Nice work, the scan went fine.

This next step will require you running Ewido again, lets double check the scanner settings so we are sure to scan the entire drive.

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!

First off, lets update Ewido again, as there were already 3 today.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

AFTER SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)

Click on Scanner

Click on Complete System Scan and the scan will begin.

If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

When the scan is finished, click the Save report button at the bottom of the screen.

Save the report to your desktop

Close Ewido

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido (edit the Ewido report and remove all cookie references please)report and a new HijackThis log.

Shorerider · 2006/10/03

Sorry for the late reply, but here goes....

Tmerc,

I did as you said, but when I got to this step; "If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK. "
I didn't get the option to select "Remove "? so I just selected "perform all actions ". I went through it twice, but I still didn't that option. I hope this was ok.

Thing's seem to be OK/alot better now, and my Wallpaper has returned to normal after reselecting my chosen Wallpaper. I have posted all reports/logs, and will wait for further instruction from you.

Thankyou once again, Shorerider.

SmitfraudFix log;

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Ewido report (note this has not been edited at all)

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:29:10 AM 10/4/2006

+ Scan result:

HKU\S-1-5-21-657795437-1532908729-4079810017-1006\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Cleaned with backup (quarantined).

::Report end

HijackThis log;

Logfile of HijackThis v1.99.1
Scan saved at 9:51:27 AM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINDOWS\system32\dumprep.exe
C:\HJT\HijackThis.exe

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe "
O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TeMerc · 2006/10/03

Ok, good work, looks like things are much better.

We only have a couple of relatively minor items to remove.

Please go to Add/Remove, and if found, uninstall the following:
Comet
MyWay

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: (no name) - {35E78239-811E-4c3f-B37D-F339AC16C2C0} - C:\PROGRA~1\Comet\bin\autosearch.dll (file missing)

O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\MyWay<<<<---this folder
C:\Program Files\Comet<<<<---this folder

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

Shorerider · 2006/10/03

New HJT log.

Hi TeMerc,

Here is the latest HJT log, hopefully with all things removed.

Thank's heaps, Shorerider.

Logfile of HijackThis v1.99.1
Scan saved at 2:15:33 PM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll (file missing)
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-au\msntb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe "
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe "
O4 - HKLM\..\Run: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\RunServices: [MSN MMISSENGER] mssmmspgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZU
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bigpond.com/
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = vic.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = vic.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

TeMerc · 2006/10/04

Everything is looking good, how is the machine performing at this point, any more troubles to address? Let us know.

We'll now commence with some recommendations.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.1.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom

Shorerider · 2006/10/04

All is well again.

Hi TeMerc,

Well things are finally back to normal, and I have YOU to thank for it. So THANKYOU!!!!!!!! If there is anything I can ever do for you (obviously NOT computer related, as you seem to have things covered there....ha,ha) Please don't hesitate to ask. I feel like I owe you so much.

I will install the reccomended adware/spyware, and hopefully keep those pests at bay.

Once again thankyou, your friend for life, Paul, from the land Down Under. (Aus)

TeMerc · 2006/10/04

Glad we could be of assiatnce Paul.

Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Log in or Sign up

looking for HJT log Spyware/Adware removal help.

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

Shorerider Inactive Thread Starter

Shorerider Inactive Thread Starter

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

looking for HJT log Spyware/Adware removal help.

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

Shorerider Inactive Thread Starter

Shorerider Inactive Thread Starter

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Shorerider Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches