Print Page - Help with W32.Sinnaka.A@mm Virus

Can someone tell me how to get rid of this pop up virus! My computer keeps saying that it is infected... then one by one... pop ups start to come until my computer freezes up. The only thing I got was that W32.Sinnaka.A@mm Virus is getting information from my computer... Can someone please have a look at this..

Logfile of HijackThis v1.99.1
Scan saved at 12:33:02 PM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\Quicktime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\DOCUME~1\ANDYRI~1\MYDOCU~1\ICROSO~1.NET\javaw.exe
C:\Documents and Settings\Andy Rickard\Application Data\s?mbols\??plorer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Andy Rickard\Desktop\hijackthis.exe

N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.Email Removed.com"); (C:\Program Files\Netscape\Users\jackie\prefs.js)
O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp972F.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\ANDYRI~1\MYDOCU~1\ICROSO~1.NET\javaw.exe" -vt mt
O4 - HKCU\..\Run: [Nqvorit] C:\Documents and Settings\Andy Rickard\Application Data\s?mbols\??plorer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Java Client 2.0.0.66 - http://216.26.100.73/Java/cs4ms066.cab (http://\"http://216.26.100.73/Java/cs4ms066.cab\")
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/jt0_x.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct0_x.cab\")
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/it1_x.cab\")
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab (http://\"http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab\")
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pt3_x.cab\")
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tvt0_x.cab\")
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab (http://\"http://64.124.45.181/downloads/ccpm_0237.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 (http://\"http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab\")
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab (http://\"http://chat.yahoo.com/cab/yacsui.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=5071 (http://\"http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab (http://\"http://chat.yahoo.com/cab/yvwrctl.cab\")
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup142f1.cab (http://\"http://download.abacast.com/download/files/abasetup142f1.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Iigpekjn.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Sorry for the delay

Can you do the following please
Download [color=\"#3333FF\"]smitRem.exe[/color] (http://\"http://noahdfear.geekstogo.com/click%20counter/click.php?id=1\") ©noahdfear, and save the file to your desktop.

(http://hijackthisaid.org/Pictures/infections/Smitextract.GIF)
[color=\"#FF0000\"]Double-click on the smitRem.exe file to extract it to it's own folder on the desktop.[/color]
(http://www.security-central.us/limg/smit%20icon.jpg)

Place a shortcut to [color=\"#3333FF\"]Panda ActiveScan[/color] (http://\"http://www.pandasoftware.com/products/activescan.htm\") on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

==Download and Install
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet

==Open Ewido anti-malware
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")

Please save these instructions to a Notepad file and save it to your Desktop for reference
or Print them out!

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish. Remain in safe mode

==Open Ewido Anti-malware
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to the desktop or someplace you will remember
Exit Ewido
NOTE: When Ewido is running, don't open any other windows, let it run uninterrupted

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: Nothing - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp972F.tmp

O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\ANDYRI~1\MYDOCU~1\ICROSO~1.NET\javaw.exe" -vt mt
O4 - HKCU\..\Run: [Nqvorit] C:\Documents and Settings\Andy Rickard\Application Data\s?mbols\??plorer.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123 (http://\"http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123\")
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsIns....cab?refid=5071 (http://\"http://www.mt-download.com/MediaTicketsIns....cab?refid=5071\")
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -

O20 - Winlogon Notify: winmfu32 - C:\WINDOWS\SYSTEM32\winmfu32.dll
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Iigpekjn.dll (file missing)

After you have ticked the above entry, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot back to Normal mode

Immediately, back in windows
click the Panda ActiveScan shortcut.

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan [color=\"blue\"](Note: It may take a couple of minutes)[/color]
When the download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post back all the following please
1. Post the report from Panda's
2. Post a fresh hijackthis log
3. Post the whole report from Ewido's
4. Post the Whole log made from SmitRem located here C:\Smitfiles.txt

[quote name=\'guestolo\' post=\'102477\' date=\'Mar 29 2006, 06:50 PM\']Locking this post
Please stick with This post (http://\"http://www.thetechguide.com/forum/index.php?showtopic=29472\")
Keep all responses to that thread please[/quote]

Panda REPORT:

Incident Status Location

Adware:adware/purityscan Not disinfected C:\Documents and Settings\Andy Rickard\Local Settings\Temp\!update.exe
Potentially unwanted tool:application/spywarequake Not disinfected C:\Documents and Settings\Andy Rickard\Application Data\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SpywareQuake 2.0.lnk
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\cards.ico
Dialer:dialer.b Not disinfected C:\WINDOWS\SYSTEM32\mseggrpid.dll
Spyware:spyware/commonname Not disinfected C:\WINDOWS\SYSTEM32\winnet.ini
Adware:adware/sahagent Not disinfected C:\SahAgent.log
Adware:adware/gator Not disinfected C:\WINDOWS\GatorUninstaller_cme.log
Spyware:application/bestoffer Not disinfected C:\WINDOWS\smdat32a.sys
Adware:adware/ncase Not disinfected C:\WINDOWS\SYSTEM32\FLEOK
Adware:adware/mediatickets Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\TYPELIB\{0494D0D0-F8E0-41AD-92A3-14154ECE70AC}
Spyware:spyware/cws.olehelp Not disinfected Windows Registry
Potentially unwanted tool:application/altnet Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ALTNETDM
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@questionmarket[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@tribalfusion[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy [email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Andy Rickard\Application Data\Mozilla\Firefox\Profiles\3l1te545.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Andy Rickard\Application Data\Mozilla\Firefox\Profiles\3l1te545.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andy Rickard\Application Data\Mozilla\Firefox\Profiles\3l1te545.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Andy Rickard\Application Data\Mozilla\Firefox\Profiles\3l1te545.default\cookies.txt[]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Andy Rickard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-120a4f81.zip[GetAccess.class]
Adware:Adware/CWS.Searchmeup Not disinfected C:\Documents and Settings\Andy Rickard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-47723671-120a4f81.zip[Installer.class]
Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Andy Rickard\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-7cbbf4dd.zip[InstallerApplet.class]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@questionmarket[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@statcounter[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy rickard@tribalfusion[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Andy Rickard\Cookies\andy [email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andy Rickard\Desktop\New Briefcase\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andy Rickard\Desktop\New Briefcase\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andy Rickard\Desktop\Programs\smitRem\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Andy Rickard\Desktop\Programs\smitRem.exe[Process.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Andy Rickard\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Andy Rickard\My Documents\?icrosoft.NET\javaw.exe
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Program Files\Kazaa\bdcore.dll.updpnd
Adware:Adware/CommAd Not disinfected C:\WINDOWS\SmFja2llICBSaWNrYXJk\mAI3uZ55KF1muqhOsrL4.vbs
Adware:Adware/Adservice Not disinfected C:\WINDOWS\SYSTEM32\AdService.dll
Adware:Adware/Exact.BargainBuddy Not disinfected C:\WINDOWS\SYSTEM32\OMsetup.exe

[quote name=\'guestolo\' post=\'102477\' date=\'Mar 29 2006, 06:50 PM\']Locking this post
Please stick with This post (http://\"http://www.thetechguide.com/forum/index.php?showtopic=29472\")
Keep all responses to that thread please[/quote]

Fresh HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 9:06:07 PM, on 3/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\Quicktime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\RONFOL~1\TABS\POWERT~1\PTEditor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Andy Rickard\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/ (http://\"http://www.msn.ca/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com (http://\"http://www.dellnet.com\")
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.Email Removed.com"); (C:\Program Files\Netscape\Users\jackie\prefs.js)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Java Client 2.0.0.66 - http://216.26.100.73/Java/cs4ms066.cab (http://\"http://216.26.100.73/Java/cs4ms066.cab\")
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/jt0_x.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct0_x.cab\")
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/it1_x.cab\")
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab (http://\"http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab\")
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pt3_x.cab\")
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tvt0_x.cab\")
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab (http://\"http://64.124.45.181/downloads/ccpm_0237.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab (http://\"http://chat.yahoo.com/cab/yacsui.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab (http://\"http://chat.yahoo.com/cab/yvwrctl.cab\")
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup142f1.cab (http://\"http://download.abacast.com/download/files/abasetup142f1.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[quote name=\'guestolo\' post=\'102477\' date=\'Mar 29 2006, 06:50 PM\']Locking this post
Please stick with This post (http://\"http://www.thetechguide.com/forum/index.php?showtopic=29472\")
Keep all responses to that thread please[/quote]

Here is SMITEREM LOG:

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 03/29/2006
The current time is: 19:41:57.28

Running from
C:\Documents and Settings\Andy Rickard

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url

~~~ Favorites ~~~

Antivirus Test Online.url

~~~ system32 folder ~~~

1024 dir
ncompat.tlb
logfiles

~~~ Icons in System32 ~~~

ts.ico
ot.ico

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

[quote name=\'guestolo\' post=\'102477\' date=\'Mar 29 2006, 06:50 PM\']Locking this post
Please stick with This post (http://\"http://www.thetechguide.com/forum/index.php?showtopic=29472\")
Keep all responses to that thread please[/quote]

HERE IS EWIDO:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         8:39:49 PM, 3/29/2006
+ Report-Checksum:      8928E1C3

+ Scan result:

   C:\Documents and Settings\Andy Rickard\My Documents\Мicrosoft.NET\javaw.exe -> Downloader.PurityScan.cc : Cleaned with backup
   C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP506\A0035150.exe -> Downloader.Zlob.is : Cleaned with backup
   C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP506\A0035152.exe -> Downloader.PurityScan.bt : Cleaned with backup
   C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP506\A0035153.exe -> Downloader.Delf.aeu : Cleaned with backup
   C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP506\A0035155.dll -> Downloader.Small.cml : Cleaned with backup

::Report End

Can you do the following please

Download [color=\"blue\"]roguescanfix.exe[/color] (http://\"http://www.martijnc.be/tools/roguescanfix.exe\") , and save it to your desktop.
Double click roguescanfix.exe to install it.
Open the roguescanfix folder, and doubleclick run.bat. [color=\"red\"]Make Sure you have an active internet connection![/color][/i]
Your desktop and icons will disappear and then reappear again, this is normal.
Wait till the message "Completed script execution" appears, then click OK.
Click "Exit" to close BFU.
Click "OK" to start the SpywareQuake/Spyfalcon uninstaller, after that click "uninstall". Please wait until it is finished.
WARNING: You will be asked to reboot your computer. Wait until the uninstallers did their job before clicking YES.

Back in windows
Find and delete the following files and folders in bold below
Exact file names and locations please
You may have to
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

C:\Documents and Settings\Andy Rickard\Local Settings\Temp\!update.exe
C:\Documents and Settings\Andy Rickard\Application Data\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SpywareQuake 2.0.lnk
C:\WINDOWS\SYSTEM32\cards.ico
C:\WINDOWS\SYSTEM32\mseggrpid.dll
C:\WINDOWS\SYSTEM32\winnet.ini
C:\SahAgent.log
C:\WINDOWS\GatorUninstaller_cme.log
C:\WINDOWS\smdat32a.sys
C:\Documents and Settings\Andy Rickard\Local Settings\Temp\!update.exe
C:\Program Files\Kazaa\bdcore.dll.updpnd
C:\WINDOWS\SmFja2llICBSaWNrYXJk\mAI3uZ55KF1muqhOsrL4.vbs
C:\WINDOWS\SYSTEM32\AdService.dll
C:\WINDOWS\SYSTEM32\OMsetup.exe
C:\WINDOWS\SYSTEM32\FLEOK

C:\Documents and Settings\Andy Rickard\My Documents\?icrosoft.NET <-this folder
I'm not sure of the exact name, but it will end with icrosoft.NET

Post back a fresh hijackthis log and let me know how things are going

Ok.. Here is the log... Hopefully this works... Thank you very much for your expertise...

Logfile of HijackThis v1.99.1
Scan saved at 12:21:05 AM, on 3/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\Quicktime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Andy Rickard\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.msn.ca/ (http://\"http://www.msn.ca/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dellnet.com (http://\"http://www.dellnet.com\")
N1 - Netscape 4: user_pref("browser.startup.homepage",

"http://www.Email Removed.com"); (C:\Program

Files\Netscape\Users\jackie\prefs.js)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor -

{B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}

- C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} -

C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program

Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD

Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus!

2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec

Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program

Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\program

files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program

Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300

Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300

Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax

Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft

Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition]

"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN

Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

-quiet
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program

Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program

Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program

Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: RealDownload.lnk = C:\Program

Files\Real\RealDownload\Realdownload.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Spyware Doctor -

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Java Client 2.0.0.66 -

http://216.26.100.73/Java/cs4ms066.cab (http://\"http://216.26.100.73/Java/cs4ms066.cab\")
O16 - DPF: Yahoo! Blackjack -

http://download.games.yahoo.com/games/clients/y/jt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/jt0_x.cab\")
O16 - DPF: Yahoo! Chat -

http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: Yahoo! Chess -

http://download.games.yahoo.com/games/clients/y/ct0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct0_x.cab\")
O16 - DPF: Yahoo! Cribbage -

http://download.games.yahoo.com/games/clients/y/it1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/it1_x.cab\")
O16 - DPF: Yahoo! Klondike Solitaire -

http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab (http://\"http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab\")
O16 - DPF: Yahoo! Poker -

http://download.games.yahoo.com/games/clients/y/pt3_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pt3_x.cab\")
O16 - DPF: Yahoo! Pool 2 -

http://download.games.yahoo.com/games/clients/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: Yahoo! Trivia -

http://download.games.yahoo.com/games/clients/y/tvt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tvt0_x.cab\")
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client

Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab (http://\"http://64.124.45.181/downloads/ccpm_0237.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio

Conferencing) -

http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/200203...nfo.apple.com/q (http://\"http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/q\")

t505/us/win/QuickTimeInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -

http://us.games2.yimg.com/download.games.y.../play/client/ex (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/ex\")

entctl_0_0_0_1.ocx
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) -

http://chat.yahoo.com/cab/yacsui.cab (http://\"http://chat.yahoo.com/cab/yacsui.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient

Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector

Class) -

http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer

Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab (http://\"http://chat.yahoo.com/cab/yvwrctl.cab\")
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -

http://download.abacast.com/download/files/abasetup142f1.cab (http://\"http://download.abacast.com/download/files/abasetup142f1.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown

Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology

Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc.

- C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - Unknown owner -

C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner -

C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research

Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe

HI... I noticed that my Microsoft Applications do not work.... I don't have access, excel, etc... is this a result of the cleaning process? How do I fix this?

Sorry for the delay
Can I see a new hijackthis log please
Before copying and pasting the log back here
Click on FORMAT and uncheck wordwrap in the hijackthis log that opens

This will take the spaces out of the hijackthis log
I asked you earlier to remove this folder if found
C:\Documents and Settings\Andy Rickard\My Documents\?icrosoft.NET <-this folder

Did you remove that folder from that EXACT LOCATION
It may of been named Microsoft.NET
There will be a legitimate folder with that same name but not the same location
Did you remove it???

here is my hijack log... without the wrap:

Logfile of HijackThis v1.99.1
Scan saved at 2:40:13 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\program files\Quicktime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Lexmark 2300 Series\lxcgmon.exe
C:\Program Files\Lexmark 2300 Series\ezprint.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxcgcoms.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxcgPSWX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Andy Rickard\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/ (http://\"http://www.msn.ca/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com (http://\"http://www.dellnet.com\")
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.Email Removed.com"); (C:\Program Files\Netscape\Users\jackie\prefs.js)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0\bin\ssv.dll (file missing)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\Quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcgmon.exe] "C:\Program Files\Lexmark 2300 Series\lxcgmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2300 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ChatSpace Java Client 2.0.0.66 - http://216.26.100.73/Java/cs4ms066.cab (http://\"http://216.26.100.73/Java/cs4ms066.cab\")
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/jt0_x.cab\")
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab\")
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/ct0_x.cab\")
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/it1_x.cab\")
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab (http://\"http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab\")
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pt3_x.cab\")
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/pote_x.cab\")
O16 - DPF: Yahoo! Trivia - http://download.games.yahoo.com/games/clients/y/tvt0_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/tvt0_x.cab\")
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab (http://\"http://64.124.45.181/downloads/ccpm_0237.cab\")
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab (http://\"http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab\")
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab (http://\"http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab\")
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe (http://\"http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe\")
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (http://\"http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab\")
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://\"http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx\")
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab (http://\"http://chat.yahoo.com/cab/yacsui.cab\")
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab (http://\"http://messenger.zone.msn.com/binary/MessengerStatsClient.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab (http://\"http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab\")
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab (http://\"http://chat.yahoo.com/cab/yvwrctl.cab\")
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup142f1.cab (http://\"http://download.abacast.com/download/files/abasetup142f1.cab\")
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab (http://\"http://messenger.zone.msn.com/binary/SolitaireShowdown.cab\")
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcg_device - Unknown owner - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I did remove the folder you mentioned from that required location... where would i find the other microsoft.net? Even if I did... what would be the new problem in recovering the applications i originally had on?

Hmmm, ok, can you do the following
Throw your Office Cd in and do a Repair on it please

Then go to Offic updates and check for updates
http://office.microsoft.com/en-us/officeupdate/default.aspx (http://\"http://office.microsoft.com/en-us/officeupdate/default.aspx\")

hey... i'm getting this some message in the taskbar, how do i go about getting rid of this message/spyware?

cheers

what is hijackthis? i want to do this because i keep getting popups

This post is now locked as the original poster has not replied

To all other please start your own post in this forum
Supply a hijackthis log
Click [color=\"#3366FF\"]HERE[/color] (http://\"http://www.thetechguide.com/forum/index.php?showtopic=22942\")
for instructions please

TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Ronald37 on March 28, 2006, 12:33:59 PM