I've read a couple posts on trying to get rid of this one. I've done the virus scans. One listed it as win32/spax!generic but reading through the help on that site it said it was likely win32/beovens. Below is the hijackthis file... Logfile of HijackThis v1.99.1 Scan saved at 7:48:03 AM, on 8/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\system32\taskswitch.exe C:\WINDOWS\system32\RUNDLL32.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\IntCodec\isamonitor.exe C:\Program Files\IntCodec\isamini.exe C:\Program Files\IntCodec\pmsngr.exe C:\Program Files\IntCodec\pmmon.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001YYCA_ZBzeb032YYCA O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
go to add/remove programs and remove the following if there Wild Tangent Intcodec mywebsearch Download the pocket killbox http://www.bleepingcomputer.com/files/killbox.php download ewido http://www.ewido.net/en/ Please download SmitfraudFix (by S!Ri) Extract the content (a folder named SmitfraudFix) to your Desktop. http://siri.urz.free.fr/Fix/SmitfraudFix.zip Click here to download ATF Cleaner by Atribune and save it to your desktop. http://majorgeeks.com/ATF_Cleaner_d4949.html * Double-click ATF-Cleaner.exe to run the program. * Under Main choose: Select All * Click the Empty Selected button. o If you use Firefox: + Click Firefox at the top and choose: Select All + Click the Empty Selected button. + NOTE: If you would like to keep your saved passwords, please click No at the prompt. o If you use Opera: + Click Opera at the top and choose: Select All + Click the Empty Selected button. + NOTE: If you would like to keep your saved passwords, please click No at the prompt. * Click Exit on the Main menu to close the program. * Click here for info on how to boot to safe mode if you don't already know how. http://service1.symantec.com/SUPPORT...rc=sec_doc_nam * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode. * Restart your computer into safe mode now. Perform the following steps in safe mode: have hijack this fix these entries. close all browsers and programmes before clicking FIX. R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing) O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box. Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any. C:\Program Files\IntCodec\isamonitor.exe C:\Program Files\IntCodec\isamini.exe C:\Program Files\IntCodec\pmsngr.exe C:\Program Files\IntCodec\pmmon.exe C:\Program Files\IntCodec C:\WINDOWS\system32\viruxz.dll C:\PROGRA~1\MYWEBS~1 Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Warning: running option #2 on a non infected computer will remove your Desktop background. Run Ewido! # IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process: # Launch Ewido Anti-spyware by double-clicking the icon on your desktop. # Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan". # Ewido will now begin the scanning process. Be patient this may take a little time. Once the scan is complete do the following: # If you have any infections you will prompted, set everything to quarantine then select "Apply all actions" # Next select the "Reports" icon at the top. # Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important). # Close Ewido and reboot your system back into Normal Mode. post another hijack this log, the ewido, smitfraud log
Thanks maca1 for the fast reply. I followed the directions as close as I could. One question I have is, does it matter if I executed all your directions as adminstrator? I couldn't figure out for the life of me how to sign on as the administrator in XP. I only found it in the safe mode as a choice... anyway. Here are the reports as requested. Logfile of HijackThis v1.99.1 Scan saved at 7:04:24 PM, on 8/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\Monica.LORRIN-Z3VR74T8\Desktop\HijackThis_v1.99.1.exe R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll (file missing) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing) O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe --------------------------------------------------------- ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 8:06:53 PM 8/17/2006 + Scan result: HKLM\SOFTWARE\Altnet -> Adware.Altnet : Error during cleaning. HKLM\SOFTWARE\Altnet\Dashboard -> Adware.Altnet : Error during cleaning. HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Adware.Altnet : Error during cleaning. HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Multimpp -> Adware.BetterInternet : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_2540 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_2 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_2\Seqn_2539 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_2\Seqn_2542 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_3 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_3\Seqn_2538 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_3\Seqn_2541 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2523 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2524 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2526 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2530 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2531 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2543 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_2544 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3165 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3166 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3167 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3168 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3169 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3170 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3171 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3218 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3224 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3225 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3235 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3251 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3252 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3253 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3442 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3443 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_4\Seqn_3444 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_2 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_3 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4\Seqn_2307 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4\Seqn_2309 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4\Seqn_2311 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4\Seqn_2312 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4\Seqn_2313 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4\Seqn_2882 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4\Seqn_3221 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_4\Seqn_3222 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_2540 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_2 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_2\Seqn_2539 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_2\Seqn_2542 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_3 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_3\Seqn_2538 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_3\Seqn_2541 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_2523 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_2524 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_2530 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_2531 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_2543 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_2544 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3165 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3166 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3167 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3168 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3169 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3170 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3171 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3218 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3224 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3225 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3239 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3251 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3252 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3253 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3442 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3443 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_4\Seqn_3444 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_2540 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_2 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_2\Seqn_2539 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_2\Seqn_2542 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_3 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_3\Seqn_2538 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_3\Seqn_2541 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2523 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2524 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2530 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2531 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2543 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_2544 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3165 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3166 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3167 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3168 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3169 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3170 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3171 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3218 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3224 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3225 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3240 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3251 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3252 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3253 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3442 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3443 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_4\Seqn_3444 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_2909 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_1 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_3 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_3\Seqn_3557 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_3\Seqn_3558 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_3\Seqn_3559 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4\Seqn_3220 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4\Seqn_3254 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4\Seqn_3255 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4\Seqn_3256 -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Status -> Adware.Cydoor : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1DA7DBE8-C51B-4AE4-BC6E-21863349B0B4} -> Adware.Generic : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2595F37-48D0-46A1-9B51-478591A97764} -> Adware.Generic : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1DA7DBE8-C51B-4AE4-BC6E-21863349B0B4} -> Adware.Generic : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A2595F37-48D0-46A1-9B51-478591A97764} -> Adware.Generic : Cleaned with backup (quarantined). HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.IntCodec : Cleaned with backup (quarantined). HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On -> Adware.IntCodec : Cleaned with backup (quarantined). HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.IntCodec : Cleaned with backup (quarantined). HKU\S-1-5-21-1275210071-1303643608-839522115-1008\Software\Internet Security -> Adware.IntCodec : Cleaned with backup (quarantined). C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined). C:\Program Files\Common Files\Sandlot Shared\slghex.dll -> Adware.SpywareStorm : Cleaned with backup (quarantined). C:\Downloads\CakeManiaSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined). C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned. C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Monica.LORRIN-Z3VR74T8\Cookies\monica@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned. C:\Documents and Settings\Monica.LORRIN-Z3VR74T8\Cookies\monica@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned. C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@need2find[1].txt -> TrackingCookie.Need2find : Cleaned. C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@starware[2].txt -> TrackingCookie.Starware : Cleaned. C:\RECYCLER\NPROTECT\00015890.TXT -> TrackingCookie.Starware : Cleaned. C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned. C:\RECYCLER\NPROTECT\00014559.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014560.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014561.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014562.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014563.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014564.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014565.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014566.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014567.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014568.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014569.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014570.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014571.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014572.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014573.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014574.TXT -> TrackingCookie.Zedo : Cleaned. C:\RECYCLER\NPROTECT\00014575.TXT -> TrackingCookie.Zedo : Cleaned. ::Report end SmitFraudFix v2.81 Scan done at 19:13:07.90, Thu 08/17/2006 Run from C:\Documents and Settings\Monica.LORRIN-Z3VR74T8\Desktop\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler] "bestreak"="{874443fe-aa33-4ebf-a6ac-73208787e62d}" »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted C:\Program Files\IntCodec\ Deleted »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» End
No it shouldn't matter. run hijackthis and click Do a system scan only Place a check beside the following: R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing) O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - C:\Program Files\IntCodec\isaddon.dll (file missing) O3 - Toolbar: Protection Bar - {a2595f37-48d0-46a1-9b51-478591a97764} - C:\Program Files\IntCodec\iesplugin.dll (file missing) O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing) Make sure all other windows are closed and click Fix Checked click here to download [bold]Java Runtime Environment (JRE) 5.0 Update 8[/bold] http://java.sun.com/javase/downloads/index.jsp go to add/remove programs and remove all previous versions of java and install the new version. post new hijackthis log
I finished all as requested. One question I have two different java products still on the add/remove list. They looked different than all the other ones I removed. They are listed as: Java 2 Runtime Environment, SE v1.4.2_05 Java 2 Runtime Environment, SE v1.4.2_06 Should I remove these two as well? When I tried removing the J2SE environment 5 update 4 it said something about removing w32.myzor.fk@yf first. I had to choose ignore to be able to remove that version of java. Here is the hijackthis file: Logfile of HijackThis v1.99.1 Scan saved at 10:11:59 AM, on 8/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\system32\taskswitch.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001YYCA_ZBzeb032YYCA O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
yes, remove them check and fix this with hjt O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001YYCA_ZBzeb032YYCA use atf cleaner again then Run ActiveScan online virus scan: http://www.pandasoftware.com/products/activescan.htm When the scan is finished, save the results from the scan! Come back here and post a new Hijack This log along with the log from Panda scan.
Here is the results of the panda scan and the hijackthis... Incident Status Location Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32a.sys Potentially unwanted tool:application/funweb Not disinfected c:\program files\FunWebProducts Potentially unwanted tool:application/mywebsearch Not disinfected c:\program files\MyWebSearch Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\Altnet Adware:adware/rxtoolbar not disinfected Windows Registry Adware:adware/wupd Not disinfected Windows Registry Adware:adware/intcodec Not disinfected Windows Registry Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@belnk[1].txt Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@desktop.kazaa[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@dist.belnk[2].txt Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@kount[1].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@rn11[1].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@searchportal.information[1].txt Adware:Adware/FlashTrack Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Local Settings\Temporary Internet Files\Content.IE5\NWXTB4CK\channels_02[1].gif Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@doubleclick[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@mediaplex[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Desktop\SmitfraudFix\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Monica.LORRIN-Z3VR74T8\Desktop\SmitfraudFix\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Monica.LORRIN-Z3VR74T8\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] Logfile of HijackThis v1.99.1 Scan saved at 11:35:45 PM, on 8/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
you may want to copy these instrcutions as youll be going in to safe mode soon. Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode: Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box. Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any. c:\windows\smdat32a.sys c:\program files\FunWebProducts c:\program files\MyWebSearch C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Local Settings\Temporary Internet Files\Content.IE5\NWXTB4CK post another log
When I used killbox to delete the files you suggested they were all there as opposed to last time when not one of the files was present. I don't know if that makes any difference... Here are the latest scan files. Panda... Incident Status Location Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys Potentially unwanted tool:application/mywebsearch Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\uninstall\MyWebSearch bar Uninstall Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\Altnet Potentially unwanted tool:application/funweb Not disinfected hkey_local_machine\software\Fun Web Products Adware:adware/rxtoolbar Not disinfected Windows Registry Adware:adware/wupd Not disinfected Windows Registry Adware:adware/intcodec Not disinfected Windows Registry Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\MyWebSearch\bar\1.bin\MWSOEPLG.DLL Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\MyWebSearch\bar\Game\CHECKERS.F3S Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\MyWebSearch\bar\Game\CHESS.F3S Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\!KillBox\MyWebSearch\bar\Game\REVERSI.F3S Adware:Adware/FlashTrack Not disinfected C:\!KillBox\NWXTB4CK\channels_02[1].gif Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@belnk[1].txt Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@desktop.kazaa[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@dist.belnk[2].txt Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@kount[1].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@rn11[1].txt Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Leah.LORRIN-Z3VR74T8\Cookies\leah@searchportal.information[1].txt Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@2o7[2].txt Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@ad.yieldmanager[2].txt Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@ads.addynamix[1].txt Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@ads.pointroll[2].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@atdmt[2].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@burstnet[2].txt Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@casalemedia[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@doubleclick[1].txt Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@go[2].txt Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@hitbox[2].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@mediaplex[1].txt Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@perf.overture[1].txt Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@tribalfusion[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Cookies\lorrin@www.burstbeacon[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Desktop\SmitfraudFix\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lorrin.LORRIN-Z3VR74T8\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Monica.LORRIN-Z3VR74T8\Desktop\SmitfraudFix\SmitfraudFix\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Monica.LORRIN-Z3VR74T8\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] hijack this Logfile of HijackThis v1.99.1 Scan saved at 12:43:02 PM, on 8/21/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Ahead\InCD\InCD.exe C:\WINDOWS\system32\taskswitch.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PowerMenu] "%systemroot%\system32\powermenu.exe" -hideself on O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0 O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
