Spybot report says i have CWS. I ran Cwshredder and it says it fixed. Next on boot up spybot says I got it again. Could someone look at this mess.. Logfile of HijackThis v1.99.1 Scan saved at 7:34:48 AM, on 8/21/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNEW\System32\smss.exe C:\WINNEW\system32\csrss.exe C:\WINNEW\system32\winlogon.exe C:\WINNEW\system32\services.exe C:\WINNEW\system32\lsass.exe C:\WINNEW\system32\svchost.exe C:\WINNEW\system32\spoolsv.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\WINNEW\System32\svchost.exe C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlservr.exe C:\WINNEW\system32\MSTask.exe C:\WINNEW\system32\stisvc.exe C:\WINNEW\system32\ZoneLabs\vsmon.exe C:\WINNEW\System32\WBEM\WinMgmt.exe C:\WINNEW\system32\mspmspsv.exe C:\WINNEW\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINNEW\System32\svchost.exe C:\WINNEW\Explorer.EXE C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe D:\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\TARISS\MainMenu\MainMenu.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\iolo\System Mechanic 6\SMTrayNotify.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eagent.farmersinsurance.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-61e35b5c-d164-11d6-8916-00d0b77e517a&GUID=&SMAUTHREASON=0&TARGET=$SM$https://eagent.farmersinsurance.com/PLA/eAgent/Ade/ade?req_page=home (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe 7\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNEW\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe O4 - HKLM\..\Run: [SpybotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINNT\msconfig.exe /auto O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: TexasMainMenu.lnk = C:\Program Files\TARISS\MainMenu\MainMenu.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted IP range: http://127.0.0.1 O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAutoE/commonActiveX/smsx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXTwain61.cab O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXDialog61.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148476592656 O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgX61.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNEW\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNEW\system32\ZoneLabs\vsmon.exe scan stopped three times, with error reports saying unexpected procedure call failed inigetstring etc. Any help appreciated. Spunky
Hmm... Run a scan only with HijackThis, fix these: [bold]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = [/bold] Try ridding it one more time. Then post an Ewdio log if it still remains.
Thankyou Niob I did what you suggested. Ran Cwshredder again and it said it could not find anything. I deleted the 2 entries you suggessted. Here is the report for both; CWShredder Report: **** Run Keys **** RUN: [Synchronization Manager] mobsync.exe /logon RUN: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe RUN: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe RUN: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe RUN: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe RUN: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe RUN: [] RUN: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide RUN: [SystemGuardAlerter] SystemGuardAlerter.exe RUN: [SpybotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix RUN: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized RUN: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" RUN: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" RUN: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe RUN: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet **** Browser Helper Objects **** BHO: [AcroIEHlprObj Class] D:\Adobe 7\ActiveX\AcroIEHelper.dll BHO: [SpywareGuardDLBLOCK.CBrowserHelper] C:\Program Files\SpywareGuard\dlprotect.dll **** IE Toolbars **** TOOLBAR: [&Radio] C:\WINNEW\system32\msdxm.ocx TOOLBAR: [Yahoo! Toolbar] C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll **** IE Extensions **** IEExt: [Yahoo! Services] IEExt: [Yahoo! Messenger] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe IEExt: [eBay - Homepage] C:\Program Files\IrfanView\Ebay\Ebay.htm **** Hosts File Entries **** HOSTS: 127.0.0.1 localhost HOSTS: 127.0.0.1 localhost **** IE Settings **** Default Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Default Search: http://home.microsoft.com/search/search.asp Local Page: C:\WINNEW\SYSTEM32\blank.htm Search Bar: http://www.earthlink.net/partner/more/msie/button/search.html Search Page: http://www.earthlink.net/partner/more/msie/button/search.html **** IE Context Menu (Right click) **** **** Layered Service Providers **** LSP: CA ISafe LSP over [MSAFD Tcpip [TCP/IP]] LSP: MSAFD Tcpip [TCP/IP] LSP: MSAFD Tcpip [UDP/IP] LSP: RSVP UDP Service Provider LSP: RSVP TCP Service Provider LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACD05D8C-EE08-4135-9577-1F5F46627C46}] SEQPACKET 3 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACD05D8C-EE08-4135-9577-1F5F46627C46}] DATAGRAM 3 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FEB83C1A-DE12-4BBD-8C30-8129FF594A6D}] SEQPACKET 0 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FEB83C1A-DE12-4BBD-8C30-8129FF594A6D}] DATAGRAM 0 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F69F4E4-DB50-4A60-A6FD-D1B3669BAFB3}] SEQPACKET 1 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0F69F4E4-DB50-4A60-A6FD-D1B3669BAFB3}] DATAGRAM 1 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{00B1F1AB-880F-42EF-9C13-BBE11A3EC234}] SEQPACKET 2 LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{00B1F1AB-880F-42EF-9C13-BBE11A3EC234}] DATAGRAM 2 **** Blocked Control Panel Items **** BLOCKED: [ncpa.cpl] No BLOCKED: [odbccp32.cpl] No **** Downloaded Program Files **** DirectAnimation Java Classes [file://C:\WINNEW\Java\classes\dajava.cab] Microsoft XML Parser for Java [file://C:\WINNEW\Java\classes\xmldso.cab] {0335A685-ED24-4F7B-A08E-3BD15D84E668} [http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab] {1663ed61-23eb-11d2-b92f-008048fdd814} [https://eagent.farmersinsurance.com/PLA/eAgent/eAutoE/commonActiveX/smsx.cab] {17492023-C23A-453E-A040-C7C580BBF700} [http://go.microsoft.com/fwlink/?linkid=39204] C:\WINNEW\system32\LegitCheckControl.DLL {354D91A8-E3C9-491F-BB89-0FB27DEEED86} [https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXTwain61.cab] {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} [http://office.microsoft.com/officeupdate/content/opuc3.cab] {45EEDB84-57BC-4FBD-8065-7AB8E971B545} [https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXDialog61.cab] {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} [http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148476592656] {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} [https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgX61.cab] C:\WINNEW\system32\OLEAUT32.DLL C:\WINNEW\system32\OLEPRO32.DLL C:\WINNEW\system32\ASYCFILT.DLL C:\WINNEW\system32\STDOLE2.TLB C:\WINNEW\system32\COMCAT.DLL C:\WINNEW\system32\AtalaImaging.dll C:\WINNEW\system32\ImgX61.dll C:\WINNEW\Downloaded Program Files\ImgXCAB61.ocx {9F1C11AA-197B-4942-BA54-47A8489BB47F} [http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38434.511724537] {D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab] {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} [http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab] **** Windows Services **** [Alerter] %SystemRoot%\System32\services.exe [AppMgmt] %SystemRoot%\system32\services.exe [aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [BITS] %SystemRoot%\System32\svchost.exe -k BITSgroup [Browser] %SystemRoot%\System32\services.exe [CAISafe] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe [cisvc] C:\WINNEW\System32\cisvc.exe [ClipSrv] %SystemRoot%\system32\clipsrv.exe [Dhcp] %SystemRoot%\System32\services.exe [dmadmin] %SystemRoot%\System32\dmadmin.exe /com [dmserver] %SystemRoot%\System32\services.exe [Dnscache] %SystemRoot%\System32\services.exe [Eventlog] %SystemRoot%\system32\services.exe [EventSystem] C:\WINNEW\System32\svchost.exe -k netsvcs [ewido anti-spyware 4.0 guard] C:\Program Files\ewido anti-spyware 4.0\guard.exe [Fax] %systemroot%\system32\faxsvc.exe [IOLO_SRV] C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe [lanmanserver] %SystemRoot%\System32\services.exe [lanmanworkstation] %SystemRoot%\System32\services.exe [LmHosts] %SystemRoot%\System32\services.exe [Messenger] %SystemRoot%\System32\services.exe [mnmsrvc] C:\WINNEW\System32\mnmsrvc.exe [MSDTC] C:\WINNEW\System32\msdtc.exe [MSIServer] C:\WINNEW\system32\msiexec.exe /V [MSSQL$COSSNET8082] C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlservr.exe -sCOSSNET8082 [MSSQL$COSSNET8083] C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlservr.exe -sCOSSNET8083 [MSSQLServerADHelper] C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [NetDDE] %SystemRoot%\system32\netdde.exe [NetDDEdsdm] %SystemRoot%\system32\netdde.exe [Netlogon] %SystemRoot%\System32\lsass.exe [Netman] %SystemRoot%\System32\svchost.exe -k netsvcs [NtLmSsp] %SystemRoot%\System32\lsass.exe [NtmsSvc] %SystemRoot%\System32\svchost.exe -k netsvcs [PlugPlay] %SystemRoot%\system32\services.exe [PolicyAgent] %SystemRoot%\System32\lsass.exe [ProtectedStorage] %SystemRoot%\system32\services.exe [RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs [RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs [RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs [RemoteRegistry] %SystemRoot%\system32\regsvc.exe [RpcLocator] %SystemRoot%\System32\locator.exe [RpcSs] %SystemRoot%\system32\svchost -k rpcss [RSVP] %SystemRoot%\System32\rsvp.exe -s [SamSs] %SystemRoot%\system32\lsass.exe [SCardDrv] %SystemRoot%\System32\SCardSvr.exe [SCardSvr] %SystemRoot%\System32\SCardSvr.exe [Schedule] %SystemRoot%\system32\MSTask.exe [seclogon] %SystemRoot%\system32\services.exe [SENS] %SystemRoot%\system32\svchost.exe -k netsvcs [SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs [Spooler] %SystemRoot%\system32\spoolsv.exe [SQLAgent$COSSNET8082] C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlagent.EXE -i COSSNET8082 [SQLAgent$COSSNET8083] C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlagent.EXE -i COSSNET8083 [StiSvc] %systemroot%\system32\stisvc.exe [SysmonLog] %SystemRoot%\system32\smlogsvc.exe [TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs [TlntSvr] %SystemRoot%\system32\tlntsvr.exe [TrkWks] %SystemRoot%\system32\services.exe [UPS] %SystemRoot%\System32\ups.exe [UtilMan] %SystemRoot%\System32\UtilMan.exe [VETMSGNT] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe [vsmon] C:\WINNEW\system32\ZoneLabs\vsmon.exe -service [W32Time] %SystemRoot%\System32\services.exe [WinDefend] "C:\Program Files\Windows Defender\MsMpEng.exe" [WinMgmt] %SystemRoot%\System32\WBEM\WinMgmt.exe [WMDM PMSP Service] C:\WINNEW\system32\mspmspsv.exe [WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs [Wmi] %SystemRoot%\system32\Services.exe [wuauserv] %systemroot%\system32\svchost.exe -k wugroup [WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs **** Custom IE Search Items **** SEARCH: [SearchAssistant] http://home.microsoft.com/search/search.asp SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SEARCH: [CustomSearch] http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html **** Complete IE Options **** IEOPT: [NoUpdateCheck] IEOPT: [NoJITSetup] IEOPT: [Show_ChannelBand] no IEOPT: [Anchor Underline] yes IEOPT: [Cache_Update_Frequency] Once_Per_Session IEOPT: [Display Inline Images] yes IEOPT: [Do404Search] IEOPT: [Save_Session_History_On_Exit] no IEOPT: [Show_FullURL] no IEOPT: [Show_StatusBar] yes IEOPT: [Show_ToolBar] yes IEOPT: [Show_URLinStatusBar] yes IEOPT: [Show_URLToolBar] yes IEOPT: [Start Page] https://eagent.farmersinsurance.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-61e35b5c-d164-11d6-8916-00d0b77e517a&GUID=&SMAUTHREASON=0&TARGET=$SM$https%3a%2f%2feagent%2efarmersinsurance%2ecom%2fPLA%2feAgent%2fAde%2fade%3freq_page%3dhome IEOPT: [Use_DlgBox_Colors] yes IEOPT: [Q261272] yes IEOPT: [FullScreen] no IEOPT: [Disable Script Debugger] yes IEOPT: [Window_Placement] , IEOPT: [Error Dlg Displayed On Every Error] no IEOPT: [Error Dlg Details Pane Open] no IEOPT: [NotifyDownloadComplete] yes IEOPT: [AddToFavoritesExpanded] IEOPT: [Print_Background] no IEOPT: [FormSuggest PW Ask] no IEOPT: [Use FormSuggest] yes IEOPT: [ShowedCheckBrowser] Yes IEOPT: [Check_Associations] no IEOPT: [AutoSearch] IEOPT: [Expand Alt Text] no IEOPT: [Move System Caret] no IEOPT: [NscSingleExpand] IEOPT: [NoWebJITSetup] IEOPT: [Page_Transitions] IEOPT: [FavIntelliMenus] no IEOPT: [Enable Browser Extensions] yes IEOPT: [Force Offscreen Composition] IEOPT: [AllowWindowReuse] IEOPT: [Friendly http errors] yes IEOPT: [ShowGoButton] yes IEOPT: [SmoothScroll] IEOPT: [Enable AutoImageResize] yes IEOPT: [Enable_MyPics_Hoverbar] yes IEOPT: [Play_Animations] yes IEOPT: [Play_Background_Sounds] yes IEOPT: [Display Inline Videos] yes IEOPT: [Show image placeholders] IEOPT: [Default_Search_URL] http://www.earthlink.net/partner/more/msie/button/search.html IEOPT: [Search Page] http://www.earthlink.net/partner/more/msie/button/search.html IEOPT: [Default_Page_URL] http://start.earthlink.net IEOPT: [Search Bar] http://www.earthlink.net/partner/more/msie/button/search.html IEOPT: [Use Custom Search URL] IEOPT: [Local Page] C:\WINNEW\SYSTEM32\blank.htm IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome IEOPT: [Default_Search_URL] http://home.microsoft.com/search/search.asp IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch IEOPT: [Enable_Disk_Cache] yes IEOPT: [Cache_Percent_of_Disk] IEOPT: [Delete_Temp_Files_On_Exit] yes IEOPT: [Anchor_Visitation_Horizon] IEOPT: [Use_Async_DNS] yes IEOPT: [Placeholder_Width] IEOPT: [Placeholder_Height] IEOPT: [Start Page] http://www.yahoo.com/ IEOPT: [CompanyName] Microsoft Corporation IEOPT: [Custom_Key] MICROSO IEOPT: [Wizard_Version] 6.00.2800.1106 IEOPT: [FullScreen] no IEOPT: [Local Page] C:\WINNEW\SYSTEM32\blank.htm end ============================================= Logfile of HijackThis v1.99.1 Scan saved at 10:49:35 AM, on 8/22/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNEW\System32\smss.exe C:\WINNEW\system32\csrss.exe C:\WINNEW\system32\winlogon.exe C:\WINNEW\system32\services.exe C:\WINNEW\system32\lsass.exe C:\WINNEW\system32\svchost.exe C:\WINNEW\system32\spoolsv.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\WINNEW\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlservr.exe C:\WINNEW\Explorer.EXE C:\WINNEW\system32\MSTask.exe C:\WINNEW\system32\stisvc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINNEW\system32\ZoneLabs\vsmon.exe C:\WINNEW\System32\WBEM\WinMgmt.exe C:\WINNEW\system32\mspmspsv.exe C:\WINNEW\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe C:\Program Files\eFax Messenger 3.5\J2GTray.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\TARISS\MainMenu\MainMenu.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE D:\Adobe 7\Reader\AcroRd32.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eagent.farmersinsurance.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-61e35b5c-d164-11d6-8916-00d0b77e517a&GUID=&SMAUTHREASON=0&TARGET=$SM$https://eagent.farmersinsurance.com/PLA/eAgent/Ade/ade?req_page=home (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe 7\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNEW\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe O4 - HKLM\..\Run: [SpybotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: TexasMainMenu.lnk = C:\Program Files\TARISS\MainMenu\MainMenu.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted IP range: http://127.0.0.1 O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAutoE/commonActiveX/smsx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXTwain61.cab O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXDialog61.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148476592656 O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgX61.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNEW\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNEW\system32\ZoneLabs\vsmon.exe For your info When I came in this am I ran spybot as usual and ewido and it said I have cws again and it deleted it. This was befor I read your email.Maybe I shouldn't do that till we get a fix?? Thanks for the assistance Spunky
Niobis; I have to leave my office and will not be back till late, but I do want to try and get rid of this annoyance.I will follow any new instructions as soon as I can. Spunky
here's the Ewido report ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 8:11:58 PM 8/21/2006 + Scan result: D:\Backups\DVD2\DVD-2\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : No action taken. C:\Documents and Settings\Administrator.FARMERS-HLMCHHR\My Documents\Blondes\Downloads\Spyware Blaster\Uninstall Newdot~1.dll\uninstall4_50.exe -> Adware.NewDotNet : No action taken. D:\DownLoads\Spyware Blaster\Uninstall Newdot~1.dll\uninstall4_50.exe -> Adware.NewDotNet : No action taken. C:\Downloads\password recovery\pspv.exe -> Not-A-Virus.PSWTool.Win32.PassViewer.e : No action taken. C:\Downloads\password recovery\pspv132.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassViewer.e : No action taken. D:\Backups\pwdump3.zip/LsaExt.dll -> Not-A-Virus.PSWTool.Win32.PWDump.3 : No action taken. D:\Backups\pwdump3.zip/PwDump3.exe -> Not-A-Virus.PSWTool.Win32.PWDump.3 : No action taken. D:\Backups\pwdump3.zip/pwservice.exe -> Not-A-Virus.PSWTool.Win32.PWDump3 : No action taken. D:\Backups\DVD2\DVD-2\Downloads\4-24-04\rockxp.exe/RAS.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : No action taken. D:\Backups\DVD2\DVD-2\Downloads\4-24-04\rockxp.exe/xpkey.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : No action taken. :mozilla.92:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.93:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.94:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.95:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.96:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.2o7 : No action taken. :mozilla.197:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Adserver : No action taken. :mozilla.198:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Adserver : No action taken. :mozilla.116:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Centrport : No action taken. :mozilla.120:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Com : No action taken. :mozilla.121:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Com : No action taken. :mozilla.6:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Doubleclick : No action taken. :mozilla.196:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken. :mozilla.89:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Esomniture : No action taken. :mozilla.132:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Fastclick : No action taken. :mozilla.46:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken. :mozilla.47:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken. :mozilla.48:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken. :mozilla.49:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken. :mozilla.50:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Porngraph : No action taken. :mozilla.175:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Pro-market : No action taken. :mozilla.176:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Pro-market : No action taken. :mozilla.177:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Questionmarket : No action taken. :mozilla.179:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Revenue : No action taken. :mozilla.125:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Ru4 : No action taken. :mozilla.181:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Specificpop : No action taken. :mozilla.203:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Specificpop : No action taken. :mozilla.204:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Specificpop : No action taken. :mozilla.188:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Tribalfusion : No action taken. :mozilla.10:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.V61 : No action taken. :mozilla.57:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Zedo : No action taken. :mozilla.58:\Backups\DVD1\DVD-1\Documents and Settings\Carl Martin\Application Data\Mozilla\Profiles\Default User\gkoqoz0o.slt\cookies.txt -> TrackingCookie.Zedo : No action taken. ::Report end ============================================================== done in safe mode
You said CWShredder found nothing...? Is Spybot still finding it? After removing CWS you may also have to restore your Internet Explorer settings to return your computer to its operating state before the CWS variant hijacked your browser. To do this: Open up Internet Explorer. Select "Tools > Internet Options" from the Internet Explorer menu. Choose the "Programs" tab. Select the "Reset Web Settings" button. After choosing this button the "The Reset Web Settings" dialog box will appear. Scroll down and make sure that "Also reset my home page" box is checked. Select "Yes" and click "OK". Also, even though it has nothing to do with CWS, you should delete the tracking cookies found by Ewido. Then, run a scan with HijackThis and fix this one: [bold]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =[/bold] Let me know if Spybot is still finding it, if so you've got a bad variant of this POS and I'll look more into it for you.
Hi Maca: Sorry it has taken so long to get back with you, It has been a busy day which has kept me away from the system. Yes Spy bot still finds cws. I did try to see if I could print that report, but all I could do was a screen capture. The first line states Coolwwwsearch.bootconf: IE start page ( registry change nothing done) Hke_Userss-1-5-21-1085031214-861567501-1417001333-500\software\microsoft\interner explorer\main\start-page=about:blank. It also says repaired again after I click fix. Ewido ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 8:08:41 PM 8/23/2006 + Scan result: C:\Downloads\password recovery\pspv.exe -> Not-A-Virus.PSWTool.Win32.PassViewer.e : Cleaned. C:\Downloads\password recovery\pspv132.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassViewer.e : Cleaned. D:\Backups\pwdump3.zip/LsaExt.dll -> Not-A-Virus.PSWTool.Win32.PWDump.3 : Cleaned. D:\Backups\pwdump3.zip/PwDump3.exe -> Not-A-Virus.PSWTool.Win32.PWDump.3 : Cleaned. D:\Backups\pwdump3.zip/pwservice.exe -> Not-A-Virus.PSWTool.Win32.PWDump3 : Cleaned. D:\Backups\DVD2\DVD-2\Downloads\4-24-04\rockxp.exe/RAS.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned. D:\Backups\DVD2\DVD-2\Downloads\4-24-04\rockxp.exe/xpkey.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : Cleaned. ::Report end I asked the software to delete the 4 errors and then I got a notice that one error is still on the D drive and after I send this message I will go to delete it. The d drive error message is: D:\Backups\pwdump3.zip/pwservice.exe hjt Logfile of HijackThis v1.99.1 Scan saved at 5:34:27 PM, on 8/23/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNEW\System32\smss.exe C:\WINNEW\system32\csrss.exe C:\WINNEW\system32\winlogon.exe C:\WINNEW\system32\services.exe C:\WINNEW\system32\lsass.exe C:\WINNEW\system32\svchost.exe C:\WINNEW\system32\spoolsv.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\WINNEW\System32\svchost.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8082\Binn\sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL$COSSNET8083\Binn\sqlservr.exe C:\WINNEW\Explorer.EXE C:\WINNEW\system32\MSTask.exe C:\WINNEW\system32\stisvc.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINNEW\system32\ZoneLabs\vsmon.exe C:\WINNEW\System32\WBEM\WinMgmt.exe C:\WINNEW\system32\mspmspsv.exe C:\WINNEW\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe C:\Program Files\eFax Messenger 3.5\J2GTray.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\SpywareGuard\sgmain.exe C:\Program Files\TARISS\MainMenu\MainMenu.exe C:\Program Files\SpywareGuard\sgbhp.exe C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE D:\Adobe 7\Reader\AcroRd32.exe C:\WINNEW\explorer.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://eagent.farmersinsurance.com/siteminderagent/forms/login.fcc?TYPE=33554433&REALMOID=06-61e35b5c-d164-11d6-8916-00d0b77e517a&GUID=&SMAUTHREASON=0&TARGET=$SM$https://eagent.farmersinsurance.com/PLA/eAgent/Ade/ade?req_page=home (obfuscated) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe 7\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNEW\system32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\ycomp5_6_0_0.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\DELL\Dell Laser MFP 1600n\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~3\VetTray.exe O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\ca.exe O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKLM\..\Run: [SystemGuardAlerter] SystemGuardAlerter.exe O4 - HKLM\..\Run: [SpybotSnD] "D:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe" O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Startup: TexasMainMenu.lnk = C:\Program Files\TARISS\MainMenu\MainMenu.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted IP range: http://127.0.0.1 O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker.com/send/file/128985-NZIL/PhPSetup.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAgent/eAutoE/commonActiveX/smsx.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {354D91A8-E3C9-491F-BB89-0FB27DEEED86} (ImgXTwain6.ImgXTwain) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXTwain61.cab O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgXDialog61.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1148476592656 O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl (CAB)) - https://eagent.farmersinsurance.com/PLA/eAgent/scv/commonActiveX/ImgX61.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNEW\System32\dmadmin.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNEW\system32\ZoneLabs\vsmon.exe I'll check the system in the moening and let you know. Thanks for all your help. It musy be as frustrating for you as it is for me
I still got a message that I still had cws. I downloaded a trial of Spysweeper and ran it. It found a bunch of stuff and cleaned it.I also found something called Elitegroups but couldn't remove it?? Said I had to buy I also ran CCleaner a friend said to try. So far I don't see CWS anymore. I will run a new HJT/Ewido/spysweeper tonight when I have more time. Is spysweeper really that good? and should I purchase? Thanks for all the help
Your opinion is enough for me I just bought the license. I will send logs in the am as soon as I catch up on all my paper work. Again Many thanks for your assistance. Spunky
