Author Topic: SmartSecurity Desktop Hijacked (Read 2847 times)

happyeaglesfan · « **on:** May 23, 2005, 12:43:17 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> I have this smart Security desktop ad on my computer and have been trying to remove it. Antispyware, and other have been run. I tried trendmicro free online scan. I am unable to get rid of it. I do not want to reinstall windows. Is there anything that can get rid of it. Any Options. or other who have the problem.
Thanks for time
G>R

guestolo · « **Reply #1 on:** May 23, 2005, 01:13:50 PM »

I need to see a Hijackthis log

Can you follow This POST

And download and post a hijackthis log to this thread

Thanks

happyeaglesfan · « **Reply #2 on:** May 23, 2005, 01:18:48 PM »

guestolo,
Just leaving work. The computer with the problem is at home. I do know how to do Hijackthis. I will post it tonight. About 9 pm Est. Will that be okay. I have seen you helped others with this same problem. I have tried to follow it but not very successful. Sorry that I have to go home to finish this. I really am thankful for your help.
Thanks
GR

guestolo · « **Reply #3 on:** May 23, 2005, 01:43:25 PM »

I'll look for your post tonight, try not and fix anything with Hijackthis until I see the log
Thanks

That link to How to post a hijackthis will help you post a log
Make sure you save Hijackthis too a permanent folder

happyeaglesfan · « **Reply #4 on:** May 24, 2005, 08:13:59 PM »

guestolo
Here is my Hijackthis log file. Sorry I did not get it out yesterday. Had some other problems to tend with. Right now I am only able to access the internet in safe mode. Does this cause a problem for the log file?
Thanks for your help

Logfile of HijackThis v1.99.1
Scan saved at 9:11:41 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [eQ0HTkUx] C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe

guestolo · « **Reply #5 on:** May 24, 2005, 08:31:20 PM »

Try and do all the following please

===Download and save to deskop or a folder
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As

==Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Alternate Download link
We'll need this later

==Download and UNZIP to a folder or desktop
Fixdesktop.zip
So you now have Fixdesktop.reg extracted

==Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Print this out or save these instructions to a Notepad file and save it to your Desktop or a folder

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
Exit Add/Remove Programs.

Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK

[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\Web\desktop.html
C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe

===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

When Restarting, please Restart back to SAFE MODE

*Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

In SAFE MODE

Using Windows Explorer, Manually navigate and delete these folders if found

C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Program Files\vspvwwqw
C:\WINNT\System32\Log Files

*Double Click on Fixdesktop.reg and allow to merge to the registry

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what exists

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm

O4 - HKLM\..\Run: [eQ0HTkUx] C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe

O9 - Extra button: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing)

O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156 (HKLM)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART back to Normal mode

Back in Windows

If prompted by Microsoft Anti-Spyware about any changes, ALLOW them so it won't interfere with any fixes we are try to do

Do another scan with Hijackthis and post a fresh log
Also post the report from Ewidos

guestolo · « **Reply #6 on:** May 24, 2005, 08:33:15 PM »

HOLD TIGHT, DON"T FOLLOW THE ABOVE INSTRUCTIONS YET

OK, go ahead, just had to make a few changes

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

happyeaglesfan · « **Reply #7 on:** May 24, 2005, 09:25:59 PM »

I am working on the ewido security scan. Then the hijackthis scan is next. I did not find the files
C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Program Files\vspvwwqw
C:\WINNT\System32\Log Files

As soon as I get the hijackthis log fixed I will post it.
thank you

happyeaglesfan · « **Reply #8 on:** May 24, 2005, 09:59:27 PM »

hijackthis logLogfile of HijackThis v1.99.1
Scan saved at 10:56:37 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [eQ0HTkUx] C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe

Scan Report---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         10:46:08 PM, 5/24/2005
+ Report-Checksum:      B2C0837A

+ Date of database:      5/25/2005
+ Version of scan engine:   v3.0

+ Duration:            28 min
+ Scanned Files:         69719
+ Speed:            40.41 Files/Second
+ Infected files:         123
+ Removed files:         119
+ Files put in quarantine:      119
+ Files that could not be opened:   0
+ Files that could not be cleaned:   4

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\

+ Scan result:
   C:\!Submit\ecgCAsBN.exe -> Spyware.CommonName.i -> Cleaned with backup
   C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay.j -> Cleaned with backup
   C:\Program Files\vspvwwqw\cnml.exe -> Spyware.CommonName.l -> Error during cleaning
   C:\Program Files\vspvwwqw\ecgCAsBN.dll -> Spyware.CommonName.g -> Cleaned with backup
   C:\Program Files\vspvwwqw\GQgCF8BN.dll -> Spyware.CommonName.g -> Error during cleaning
   C:\Program Files\vspvwwqw\GQgCF8BN.exe -> Spyware.CommonName.i -> Error during cleaning
   C:\Program Files\vspvwwqw\NB8FCgQG.exe -> Spyware.CommonName.g -> Error during cleaning
   C:\Program Files\vspvwwqw\NBsACgce.exe -> Spyware.CommonName.g -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP123\A0027216.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP123\A0027217.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP139\A0033772.exe -> Spyware.Small.ed -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP139\A0033775.exe -> Spyware.CommonName.i -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP42\A0009930.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0010722.srg -> Spyware.Exact -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0010724.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0010725.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011725.srg -> Spyware.Exact -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011727.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011728.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011736.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/exdl.exe -> Spyware.Exact -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/mqexdlm.srg -> Spyware.Exact -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011763.dll -> Spyware.Relevance.b -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011768.exe -> Spyware.WinAD.k -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011771.exe -> Spyware.CommonName.g -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011772.exe -> Spyware.CommonName.i -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011773.dll -> Spyware.BabeIE -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015933.dll -> Trojan.TopAntiSpyware.h -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015935.dll -> Trojan.TopAntiSpyware.h -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015937.exe -> TrojanDropper.Small.oy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015977.sys -> Backdoor.Haxdoor.az -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015978.sys -> Backdoor.Haxdoor.az -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP59\A0016044.dll -> Spyware.PurityScan.ak -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP65\A0016098.exe -> Trojan.Agent.cl -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP65\A0016099.dll -> Trojan.Agent.cl -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016220.exe -> Spyware.Small.dm -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016221.exe -> Spyware.Small.dm -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016223.exe -> Spyware.Small.dm -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016241.exe -> Spyware.CommonName.g -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016242.exe -> Spyware.CommonName.i -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016243.dll -> Spyware.CommonName.g -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016246.exe -> Spyware.CommonName.g -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016247.exe -> Spyware.CommonName.i -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016248.dll -> Spyware.CommonName.g -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016250.exe -> Spyware.CommonName.g -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016251.exe -> Spyware.CommonName.i -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016252.dll -> Spyware.CommonName.g -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016360.dll -> Trojan.Agent.cl -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016362.exe -> Trojan.Agent.cl -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP74\A0017389.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP74\A0017394.exe -> Spyware.PurityScan.at -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018430.dll -> Spyware.Toolbar -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018431.dll -> Spyware.WebSearch.ae -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/exdl.exe -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/mqexdlm.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018444.exe -> Spyware.PurityScan.bf -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018445.dll -> Spyware.PurityScan.ak -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018453.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018478.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018479.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018481.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018515.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018517.exe -> Spyware.PurityScan.at -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP81\A0019579.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP81\A0019580.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/exdl.exe -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/mqexdlm.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019623.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019626.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP83\A0020279.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP83\A0020579.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021628.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/exdl.exe -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/mqexdlm.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021634.exe -> Spyware.BargainBuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021636.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP85\A0021675.exe -> Spyware.PurityScan.w -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP85\A0021676.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP90\A0024101.dll -> Spyware.PurityScan.ak -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP90\A0024102.exe -> Spyware.PurityScan.bf -> Cleaned with backup
   C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP91\A0024307.EXE -> Spyware.PurityScan.bf -> Cleaned with backup
   C:\WINNT\Akh.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\Bae.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\Dcf.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\dd.exe -> Trojan.Agent.cl -> Cleaned with backup
   C:\WINNT\Gfu.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\Hbl.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\NDNuninstall5_64.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\WINNT\NDNuninstall6_10.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\WINNT\NDNuninstall6_22.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\WINNT\NDNuninstall6_30.exe -> Spyware.NewDotNet -> Cleaned with backup
   C:\WINNT\Pne.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\Qjc.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\Sia.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\Sts.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\system32\563984.exe -> Spyware.Small.dm -> Cleaned with backup
   C:\WINNT\system32\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
   C:\WINNT\Tsu.html -> Spyware.Spywad.b -> Cleaned with backup
   C:\WINNT\Vnl.html -> Spyware.Spywad.b -> Cleaned with backup

::Report End

guestolo · « **Reply #9 on:** May 25, 2005, 12:49:54 AM »

Can you make sure you do the following please
DISABLE Microsofts Anti-Spyware realtime protection
It seems to be interfering with our fixes

Ensure you have Killbox and
DelDomains.inf

Please Print this out or save too a notepad file on the desktop
Close down all browser windows, including this one

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm

O4 - HKLM\..\Run: [eQ0HTkUx] C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe

O9 - Extra button: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing) (HKCU) <This is not related to Microsoft's Anti-Spyware software
It's a nasty

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: 64.62.171.156

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK

[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\Program Files\vspvwwqw\cnml.exe
C:\Program Files\vspvwwqw\GQgCF8BN.dll
C:\Program Files\vspvwwqw\GQgCF8BN.exe
C:\Program Files\vspvwwqw\NB8FCgQG.exe

===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Back in Windows

Don't open a Browser yet

Delete this folder
C:\Program Files\vspvwwqw <-this folder

==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

Run another scan with Hijackthis and post a fresh log

happyeaglesfan · « **Reply #10 on:** May 25, 2005, 09:39:57 AM »

happyeaglesfan · « **Reply #11 on:** May 25, 2005, 12:23:20 PM »

happyeaglesfan · « **Reply #12 on:** May 25, 2005, 12:31:34 PM »

Okay. I was able to delete the folder C:\Program Files\vspvwwqw I had to move it and then delete it. It was the only way to get rid of it. I then Ran a new Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:27:45 PM, on 5/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4BB975F-B6D3-421B-B9DA-D5B1C9040133}: NameServer = 204.186.0.201,204.186.0.203
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe

Thanks again for your help.
Happyeaglesfan

happyeaglesfan · « **Reply #13 on:** May 25, 2005, 07:20:04 PM »

guestolo · « **Reply #14 on:** May 25, 2005, 07:35:02 PM »

How's everything running on your end?

happyeaglesfan · « **Reply #15 on:** May 26, 2005, 06:02:06 AM »

Desktop is still locked with Smart Security. Not sure what to do next. Here is the most recent hijackthis log.

Okay. I was able to delete the folder C:\Program Files\vspvwwqw I had to move it and then delete it. It was the only way to get rid of it. I then Ran a new Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:27:45 PM, on 5/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4BB975F-B6D3-421B-B9DA-D5B1C9040133}: NameServer = 204.186.0.201,204.186.0.203
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe

Happyeaglesfan

happyeaglesfan · « **Reply #16 on:** May 26, 2005, 06:29:48 PM »

guestolo,
Still have the smart Security on the desktop. I have done everything in your last post. Will Post a new Hijackthis log shortly. Having trouble doing updates for some software. Please help...
Happyeaglesfan

guestolo · « **Reply #17 on:** May 26, 2005, 06:34:53 PM »

It could be because you still had some bad files remaining on your computer

Can you do the following please

Download and UNZIP to desktop or a folder Get2.zip
So you now have Get2.bat extracted
Double click on Get2.bat and a text file will appear on the desktop or folder
Called Export2.txt

Can you copy and paste the contents back here with a fresh Hijackthis log

happyeaglesfan · « **Reply #18 on:** May 26, 2005, 08:06:07 PM »

Here are the files. Please help. It is frustrating!

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

Logfile of HijackThis v1.99.1
Scan saved at 9:02:38 PM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe

guestolo · « **Reply #19 on:** May 26, 2005, 08:16:45 PM »

Do this for me, the export2.txt looks good
You appear to have gave me a log from hijackthis from safe mode

Make sure you have fixdesktop.reg unzipped

Double click on it and allow to merge to the registry

RESTART the computer
Make sure you restart into Normal mode

Can you now do the following

Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked

Back in Windows

Run another scan with hijackthis in Normal mode and show me a fresh log

Could you also
Download and UNZIP to desktop or a folder
Files.zip
Open the folder you extracted and double click on Find.bat
Let this run, it will produce a log

Post the contents back here with the fresh hijackthis log

News:

Author Topic: SmartSecurity Desktop Hijacked (Read 2847 times)