Please help me fix what my daughter did to our computer! Here is my Hijack file. Logfile of HijackThis v1.99.1 Scan saved at 6:13:55 PM, on 6/29/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\ps2.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Zone Labs\Integrity Client\iclient.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\regsvr32.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\WINDOWS\system32\regsvr32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: hp center UI.lnk.disabled O4 - Global Startup: hp center.lnk.disabled O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe O4 - Global Startup: Kodak EasyShare software.lnk.disabled O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117877523967 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145942240953 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4795/mcfscan.cab O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll C:\WINDOWS\system32\nopdb.dll O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g2065296.dll O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
Hi stang67 Download and install Ewido Anti-Spyware 4.0 -> http://www.ewido.net/en/download/ -> Open Ewido Anti-Spyware -> Click the Update icon at the top of the window -> Click the Start update button -> Wait for the update to download and install -> Quit the program, we'll use this later. Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip Unzip it to your desktop. Run Killbox.exe -> Choose Delete on Reboot -> Click All Files option. Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy) C:\WINDOWS\system32\nopdb.dll C:\WINDOWS\g2065296.dll C:\WINDOWS\SYSTEM32\winzzc32.dll Then go back to Killbox -> go to File -> choose Paste from Clipboard -> Click the red-white Delete File option. -> Click Yes to Delete on Reboot question -> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!) -> Restart your computer if Killbox won't do it. (If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) Scan hijack and check: R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http... R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - Default URLSearchHook is missing O20 - AppInit_DLLs: C:\WINDOWS\system32\regsvr32.dll C:\WINDOWS\system32\nopdb.dll O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g2065296.dll O20 - Winlogon Notify: winzzc32 - C:\WINDOWS\SYSTEM32\winzzc32.dll Close all programs exept hijack and click Fix checked. Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml -> Open Ewido Anti-Spyware -> Click the Scanner icon at the top of the window -> Click the Settings tab then select Recommended Options and choose Quarantine -> Click the Scan tab -> Select Complete System Scan. The scanning begins. -> When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop. -> Copy and paste the scan results into your next post
Did what you asked and here is the ewido and new HJT reports. ewido: ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 9:36:53 PM 6/30/2006 + Scan result: C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : No action taken. C:\Program Files\F�nts\nslookup.exe -> Adware.PurityScan : No action taken. C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007742.dll -> Adware.PurityScan : No action taken. C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007743.dll -> Adware.PurityScan : No action taken. C:\WINDOWS\SYSTEM32\hgghecy.dll -> Adware.Virtumonde : No action taken. C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0002264.exe -> Dialer.Intexdial : No action taken. C:\!KillBox\g2065296.dll -> Downloader.Delf.amb : No action taken. C:\!KillBox\g2065296.dll( 1) -> Downloader.Delf.amb : No action taken. C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007754.dll -> Downloader.Delf.amb : No action taken. C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007755.dll -> Downloader.Delf.amb : No action taken. C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007756.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g1013718.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g1298968.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g172093.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g1730000.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g1830203.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g2198078.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g2669843.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g284390.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g3171218.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g3991859.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g407093.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g407515.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g411640.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g529625.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g530187.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g530203.dll -> Downloader.Delf.amb : No action taken. C:\WINDOWS\g888468.dll -> Downloader.Delf.amb : No action taken. C:\Program Files\Common Files\Y1123OA.exe -> Downloader.PurityScan.cq : No action taken. C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP5\A0002182.exe -> Downloader.PurityScan.cq : No action taken. C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007731.exe -> Downloader.Zlob.vd : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> TrackingCookie.2o7 : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq504.tmp -> TrackingCookie.2o7 : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> TrackingCookie.Adserver : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp -> TrackingCookie.Adserver : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> TrackingCookie.Advertising : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> TrackingCookie.Advertising : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> TrackingCookie.Advertising : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> TrackingCookie.Advertising : No action taken. :mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s7vyuvsf.default\cookies.txt -> TrackingCookie.Atdmt : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Atdmt : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq80.tmp -> TrackingCookie.Atdmt : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> TrackingCookie.Bfast : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> TrackingCookie.Bfast : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp -> TrackingCookie.Bluestreak : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> TrackingCookie.Bridgetrack : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp -> TrackingCookie.Bridgetrack : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> TrackingCookie.Burstnet : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> TrackingCookie.Casalemedia : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> TrackingCookie.Casalemedia : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> TrackingCookie.Centrport : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp -> TrackingCookie.Centrport : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq112.tmp -> TrackingCookie.Clickbank : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp -> TrackingCookie.Com : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq773.tmp -> TrackingCookie.Com : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> TrackingCookie.Coremetrics : No action taken. :mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\s7vyuvsf.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Doubleclick : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> TrackingCookie.Doubleclick : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1.tmp -> TrackingCookie.Falkag : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp -> TrackingCookie.Falkag : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.Fastclick : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp -> TrackingCookie.Fastclick : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp -> TrackingCookie.Hitbox : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp -> TrackingCookie.Hitbox : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp -> TrackingCookie.Hitbox : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp -> TrackingCookie.Hitbox : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq113.tmp -> TrackingCookie.Hypertracker : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.Mediaplex : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq58.tmp -> TrackingCookie.Mediaplex : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> TrackingCookie.Questionmarket : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq81.tmp -> TrackingCookie.Questionmarket : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E.tmp -> TrackingCookie.Realtracker : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq255.tmp -> TrackingCookie.Ru4 : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> TrackingCookie.Ru4 : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> TrackingCookie.Serving-sys : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp -> TrackingCookie.Serving-sys : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp -> TrackingCookie.Serving-sys : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Serving-sys : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq82.tmp -> TrackingCookie.Sextracker : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq83.tmp -> TrackingCookie.Sextracker : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp -> TrackingCookie.Statcounter : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq104.tmp -> TrackingCookie.Trafficmp : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> TrackingCookie.Tribalfusion : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp -> TrackingCookie.Tribalfusion : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.Valueclick : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq774.tmp -> TrackingCookie.Webtrendslive : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq258.tmp -> TrackingCookie.Zedo : No action taken. C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6C.tmp -> TrackingCookie.Zedo : No action taken. C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007751.dll -> Trojan.Agent.vg : No action taken. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SHIV8LYZ\bgates[1].exe -> Trojan.Dialer.pz : No action taken. ::Report end And HJT: Logfile of HijackThis v1.99.1 Scan saved at 10:00:23 PM, on 6/30/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ps2.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Zone Labs\Integrity Client\iclient.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: hp center UI.lnk.disabled O4 - Global Startup: hp center.lnk.disabled O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe O4 - Global Startup: Kodak EasyShare software.lnk.disabled O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117877523967 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145942240953 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4795/mcfscan.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\guard.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe Thanks for the help so far!!!
Sorry to say, as you see ewido didn't delete anything Do scan by ewido again, and allow Ewido do recommended option . Send Ewido raport and a fresh hijack log
It seemed to do more this time. Here are the logs. ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 5:35:29 PM 7/1/2006 + Scan result: C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined). C:\Program Files\Fоnts\nslookup.exe -> Adware.PurityScan : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007742.dll -> Adware.PurityScan : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007743.dll -> Adware.PurityScan : Cleaned with backup (quarantined). C:\WINDOWS\SYSTEM32\hgghecy.dll -> Adware.Virtumonde : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP8\A0002264.exe -> Dialer.Intexdial : Cleaned with backup (quarantined). C:\!KillBox\g2065296.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\!KillBox\g2065296.dll( 1) -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007754.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007755.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007756.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g1013718.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g1298968.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g172093.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g1730000.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g1830203.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g2198078.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g2669843.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g284390.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g3171218.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g3991859.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g407093.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g407515.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g411640.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g529625.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g530187.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g530203.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\WINDOWS\g888468.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined). C:\Program Files\Common Files\Y1123OA.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP5\A0002182.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007731.exe -> Downloader.Zlob.vd : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq504.tmp -> TrackingCookie.2o7 : Cleaned with backup (quarantined). C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[2].txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq59.tmp -> TrackingCookie.Adserver : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5D.tmp -> TrackingCookie.Adserver : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> TrackingCookie.Advertising : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq36.tmp -> TrackingCookie.Advertising : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3C.tmp -> TrackingCookie.Advertising : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> TrackingCookie.Advertising : Cleaned with backup (quarantined). C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq16.tmp -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq80.tmp -> TrackingCookie.Atdmt : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq15.tmp -> TrackingCookie.Bfast : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq55.tmp -> TrackingCookie.Bfast : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq52.tmp -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4D.tmp -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq66.tmp -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq56.tmp -> TrackingCookie.Burstnet : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq57.tmp -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6B.tmp -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq38.tmp -> TrackingCookie.Centrport : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq60.tmp -> TrackingCookie.Centrport : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq112.tmp -> TrackingCookie.Clickbank : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5B.tmp -> TrackingCookie.Com : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq773.tmp -> TrackingCookie.Com : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq39.tmp -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq17.tmp -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3A.tmp -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined). C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1.tmp -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq68.tmp -> TrackingCookie.Falkag : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq64.tmp -> TrackingCookie.Fastclick : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq61.tmp -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq62.tmp -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq69.tmp -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6A.tmp -> TrackingCookie.Hitbox : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq113.tmp -> TrackingCookie.Hypertracker : Cleaned with backup (quarantined). C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1C.tmp -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq58.tmp -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined). C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined). C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1A.tmp -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq81.tmp -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6E.tmp -> TrackingCookie.Realtracker : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq255.tmp -> TrackingCookie.Ru4 : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3B.tmp -> TrackingCookie.Ru4 : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5F.tmp -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq63.tmp -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq82.tmp -> TrackingCookie.Sextracker : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq83.tmp -> TrackingCookie.Sextracker : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6F.tmp -> TrackingCookie.Statcounter : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq104.tmp -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq53.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5C.tmp -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq1B.tmp -> TrackingCookie.Valueclick : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq774.tmp -> TrackingCookie.Webtrendslive : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq258.tmp -> TrackingCookie.Zedo : Cleaned with backup (quarantined). C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6C.tmp -> TrackingCookie.Zedo : Cleaned with backup (quarantined). C:\System Volume Information\_restore{593172EE-14D9-4262-8426-24BF2115D284}\RP19\A0007751.dll -> Trojan.Agent.vg : Cleaned with backup (quarantined). ::Report end And the HJT Log: Logfile of HijackThis v1.99.1 Scan saved at 5:37:10 PM, on 7/1/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\ps2.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Zone Labs\Integrity Client\iclient.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [!ewido] "C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: hp center UI.lnk.disabled O4 - Global Startup: hp center.lnk.disabled O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe O4 - Global Startup: Kodak EasyShare software.lnk.disabled O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1117877523967 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145942240953 O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,1,0,4795/mcfscan.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Documents and Settings\Owner\Desktop\Spyware Removal\ewido anti-spyware 4.0\guard.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe Thanks!
Thanks! Just to be sure, the last time I ran ewido I wasn't in safe mode, should I redo it in safe mode? Thanks