Author Topic: Need Help with SpySheriff (Read 1963 times)

Optikal33 · « **on:** August 02, 2005, 12:31:36 PM »

Wonderful hijacker has well hijacked my brother's laptop, need help getting rid of his. Here's teh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:27:25 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\WINDOWS\yjehlje.exe
C:\WINDOWS\system32\Lbjpmf.exe
C:\WINDOWS\system32\o0aqh3q5.exe
C:\WINDOWS\system32\hpdsp.exe
C:\WINDOWS\dinst.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
c:\windows\system32\hpgvvzh.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\COMMON~1\uzfz\uzfzm.exe
C:\WINDOWS\system32\h32gres.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\COMMON~1\uzfz\uzfza.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\uzfz\uzfzl.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
E:\hijackthis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [FcaoGKN] C:\WINDOWS\yjehlje.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Lbjpmf.exe
O4 - HKLM\..\Run: [o0aqh3q5] C:\WINDOWS\system32\o0aqh3q5.exe
O4 - HKLM\..\Run: [433O3ER] hpdsp.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [zvddid] c:\windows\system32\hpgvvzh.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [uzfz] C:\PROGRA~1\COMMON~1\uzfz\uzfzm.exe
O4 - HKCU\..\Run: [L0sEROdsO] h32gres.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.aim.com/ygp/aol/plugin/u...AIM.9.5.1.6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDDIE
O17 - HKLM\Software\..\Telephony: DomainName = EDDIE
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDDIE
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = EDDIE
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Optikal33 · « **Reply #1 on:** August 04, 2005, 01:19:16 PM »

Bumping in hopes of help, haven't changed anything on the computer at all since the HJT post above.

guestolo · « **Reply #2 on:** August 05, 2005, 12:21:59 AM »

Let's try some cleanup on your machine, see how it looks after

Please try and do all the following
==Download DSRFix.zip
UNZIP the folder within to your desktop
Don't run this yet

==Download and save to desktop or folder the Nailfix utility.
DO NOT run it yet.

==Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup! 4.0
Give the link time to load or try it twice, it may be busy
Don't run this yet, we'll need it in a bit

==Download and then Install
Ewido Security Suite

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

Please disable SpySweepers' realtime protection
It may interfere in any fixes we try, you can reenable later, after we have you clean

Access your Add/Remove Programs and remove if found
ViewPoint <--May have more than one instance
and Daily Weather Forecast
and ISTbar

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

==Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

==Double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

==Open the DSRFix folder you extracted to desktop earlier
Double click on dsrfix.bat
It will open and close on it's own when it's done

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restar

====Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.

Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what you see

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [FcaoGKN] C:\WINDOWS\yjehlje.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Lbjpmf.exe
O4 - HKLM\..\Run: [o0aqh3q5] C:\WINDOWS\system32\o0aqh3q5.exe
O4 - HKLM\..\Run: [433O3ER] hpdsp.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [zvddid] c:\windows\system32\hpgvvzh.exe

O4 - HKCU\..\Run: [uzfz] C:\PROGRA~1\COMMON~1\uzfz\uzfzm.exe
O4 - HKCU\..\Run: [L0sEROdsO] h32gres.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Run Panda's online virus scan and perform a full system scan.
Save the report from Panda's, I'll want to see it later

Run another scan with Hijackthis and post a fresh log, also include the Reports from Ewido's and Panda's

Guest_Optikal33_* · « **Reply #3 on:** August 12, 2005, 12:41:13 PM »

[color=\"red\"]Logfile of HijackThis v1.99.1
Scan saved at 1:35:20 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\PestPatrol\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\windows\system32\dxlsbil.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Slick Willy\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.aim.com/ygp/aol/plugin/u...AIM.9.5.1.6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDDIE
O17 - HKLM\Software\..\Telephony: DomainName = EDDIE
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDDIE
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = EDDIE
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe[/color]

[color=\"green\"]---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         12:10:47 PM, 8/12/2005
+ Report-Checksum:      7AF2B04

+ Scan result:

   HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\AutoLoader\4wsk1QMeVaLI -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\AutoLoader\4wsy1QMeVaLI -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A} -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{72892E8E-75DF-4CD2-BE11-E9A0077F44A8} -> Spyware.HotBar : Cleaned with backup
   HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
   HKLM\SOFTWARE\dealhelper -> Spyware.DealHelper : Cleaned with backup
   HKLM\SOFTWARE\dealhelper\KeyWord -> Spyware.DealHelper : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dealhelper -> Spyware.DealHelper : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc -> Spyware.ISTBar : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
   HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\BTGrab -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\IST -> Spyware.ISTBar : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-59D4-4008-9058-080011001200} -> Spyware.VX2 : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-F09C-02B4-6EC2-AD0300000000} -> Spyware.Transponder : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000020DD-C72E-4113-AF77-DD56626C6C42} -> Spyware.TwainTech : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83DE62E0-5805-11D8-9B25-00E04C60FAF2} -> Spyware.BlazeFind : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9C691A33-7DDA-4C2F-BE4C-C176083F35CF} -> Spyware.WinFavorites : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9E98E84C-79E1-49C3-82EB-798FCD552EFB} -> Dialer.Generic : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} -> Spyware.BargainBuddy : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} -> Spyware.BetterInternet : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EFB22865-F3BC-4309-ADFA-C8E078A7F762} -> Dialer.Generic : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
   HKU\S-1-5-21-3828829770-4173854279-2888880002-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAA356E4-D317-42A6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Cleaned with backup
   [260] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Cleaned with backup
   [112] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [1112] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [776] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [332] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [384] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [376] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [908] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [912] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [948] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [336] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [1060] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [1100] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [880] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [1136] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [1156] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [1164] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [1216] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [1228] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [1204] C:\WINDOWS\yjehlje.exe -> TrojanDownloader.IstBar.ij : Error during cleaning
   [1324] C:\WINDOWS\system32\Lbjpmf.exe -> Trojan.Popmon.a : Cleaned with backup
   [348] C:\WINDOWS\system32\o0aqh3q5.exe -> Adware.SAHA : Cleaned with backup
   [704] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [2288] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [2452] c:\windows\system32\iagivf.exe -> Trojan.Agent.cp : Cleaned with backup
   [2496] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [3000] C:\PROGRA~1\COMMON~1\uzfz\uzfzm.exe -> TrojanDownloader.TSUpdate.k : Cleaned with backup
   [3164] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [3172] C:\PROGRA~1\COMMON~1\uzfz\uzfza.exe -> TrojanDownloader.TSUpdate.l : Cleaned with backup
   [3176] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [3268] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [3416] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [3440] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [3724] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   [2040] C:\PROGRA~1\COMMON~1\uzfz\uzfzl.exe -> TrojanDownloader.TSUpdate.j : Cleaned with backup
   [3788] C:\WINDOWS\system32\vs94sgfd.dll -> Adware.SAHA : Error during cleaning
   C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
   C:\Program Files\Common Files\uzfz\uzfza.exe -> TrojanDownloader.TSUpdate.l : Cleaned with backup
   C:\Program Files\Common Files\uzfz\uzfzl.exe -> TrojanDownloader.TSUpdate.j : Cleaned with backup
   C:\Program Files\Common Files\uzfz\uzfzm.exe -> TrojanDownloader.TSUpdate.k : Cleaned with backup
   C:\Program Files\Common Files\uzfz\uzfzp.exe -> Spyware.Xupiter : Cleaned with backup
   C:\Program Files\ISTsvc -> Spyware.ISTBar : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP260\A0029699.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP260\A0029700.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP260\A0029701.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP260\A0029702.exe -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP260\A0029704.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP260\A0029705.exe -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP260\A0029706.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP260\A0029707.exe -> Spyware.AproposMedia : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP260\A0029708.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029710.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029712.exe -> TrojanDownloader.Alchemic : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029713.exe -> TrojanDownloader.Dyfuca.dp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029714.dll -> TrojanDownloader.Dyfuca : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029715.exe -> TrojanDownloader.Dyfuca : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029716.exe -> TrojanDownloader.Dyfuca.dp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029717.exe -> TrojanDownloader.Dyfuca.du : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029718.exe -> TrojanDownloader.Dyfuca : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029719.exe -> Trojan.Small.cy : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029720.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029721.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029722.dll -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029726.dll -> Spyware.ImiBar : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029727.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029729.exe -> Spyware.PowerScan : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029730.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029731.dll -> Spyware.SideFind : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029732.dll -> Spyware.SideFind : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029733.exe -> TrojanDownloader.IstBar.jd : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029734.dll -> Spyware.AdMir : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029735.dll -> TrojanDownloader.IstBar.ik : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029736.dll -> Spyware.180Solutions : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029738.exe -> Spyware.BiSpy : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029739.exe -> Trojan.Small.cy : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP262\A0029752.exe -> TrojanDownloader.IstBar : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029781.exe -> TrojanDownloader.Agent.ae : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029783.exe -> Trojan.AproposAd : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029784.exe -> Trojan.AproposAd : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029794.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029808.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029849.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029864.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029891.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029914.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029956.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029994.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029995.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029996.exe -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029998.exe -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0029999.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0030000.exe -> TrojanDownloader.TSUpdate.l : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0030001.exe -> TrojanDownloader.TSUpdate.j : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0030002.exe -> TrojanDownloader.TSUpdate.k : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0030003.exe -> Spyware.Xupiter : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP264\A0030008.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP264\A0030009.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP264\A0030011.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP264\A0030013.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP264\A0030015.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP264\A0030016.exe -> Trojan.AproposAd : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP264\A0030017.dll -> Trojan.Pakes : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP264\A0030018.exe -> Trojan.AproposAd : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP264\A0030028.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP279\A0030263.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP289\A0030338.dll -> Spyware.ImiBar : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP294\A0030361.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP294\A0030363.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP294\A0030364.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP294\A0030387.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP295\A0030683.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP295\A0030691.dll -> Adware.SAHA : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP295\A0030693.exe -> Adware.SAHA : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP295\A0030694.exe -> Adware.SAHA : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP295\A0030696.exe -> Adware.SAHA : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP295\A0030699.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP296\A0030744.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP297\A0030801.dll -> Spyware.SpywareNo : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP297\A0030803.exe -> Spyware.SpywareNo : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP297\A0030817.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP297\A0030841.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030913.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030923.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030934.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030935.exe -> TrojanDropper.Delf.z : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030936.dll -> Spyware.BargainBuddy : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030938.exe -> Spyware.AproposMedia : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030940.exe -> TrojanDownloader.IstBar : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030948.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP302\A0031030.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP302\A0031046.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP302\A0031047.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP302\A0031048.dll -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP302\A0031049.exe -> Trojan.Imiserv.c : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP302\A0031050.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP302\A0031051.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP303\A0032043.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032055.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032057.exe -> Spyware.AproposMedia : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032059.exe -> TrojanDownloader.IstBar : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032065.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\WINDOWS\aahorpu5.exe -> Adware.SAHA : Cleaned with backup
   C:\WINDOWS\BTGrab.dll -> Spyware.BiSpy : Cleaned with backup
   C:\WINDOWS\dlmax.dll -> Spyware.DlMax : Cleaned with backup
   C:\WINDOWS\fjxlrv.exe -> Adware.BetterInternet : Cleaned with backup
   C:\WINDOWS\systb.dll_tobedeleted -> Spyware.ImiBar : Cleaned with backup
   C:\WINDOWS\systb.exe -> Trojan.Imiserv.c : Cleaned with backup
   C:\WINDOWS\SYSTEM32\dun.exe -> Spyware.DealHelper : Cleaned with backup
   C:\WINDOWS\SYSTEM32\h32gres.exe -> TrojanDownloader.Agent.ro : Cleaned with backup
   C:\WINDOWS\SYSTEM32\HookPopup.dll -> Spyware.DealHelper : Cleaned with backup
   C:\WINDOWS\SYSTEM32\hpdsp.exe -> Spyware.Apropos : Cleaned with backup
   C:\WINDOWS\SYSTEM32\iagivf.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\WINDOWS\SYSTEM32\Lbjpmf.exe -> Trojan.Popmon.a : Cleaned with backup
   C:\WINDOWS\SYSTEM32\mscb.dll -> Spyware.BargainBuddy : Cleaned with backup
   C:\WINDOWS\SYSTEM32\o0aqh3q5.exe -> Adware.SAHA : Cleaned with backup
   C:\WINDOWS\SYSTEM32\randreco.exe -> Adware.BetterInternet : Cleaned with backup
   C:\WINDOWS\SYSTEM32\sum6ohdg.exe -> Adware.SAHA : Cleaned with backup
   C:\WINDOWS\SYSTEM32\tt_reco.exe -> Adware.BetterInternet : Cleaned with backup
   C:\WINDOWS\SYSTEM32\vs94sgfd.dll -> Adware.SAHA : Cleaned with backup
   C:\WINDOWS\SYSTEM32\Wvpxxt.exe -> Spyware.DealHelper : Cleaned with backup
   C:\WINDOWS\SYSTEM32\Xrrzxw.exe -> Trojan.Popmon.a : Cleaned with backup
   C:\WINDOWS\SYSTEM32\Zkohcr.exe -> Trojan.Popmon.a : Cleaned with backup
   C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
   C:\WINDOWS\twaintec.dll -> Spyware.BiSpy : Cleaned with backup
   C:\WINDOWS\wsem303.dll -> TrojanDownloader.Dyfuca.dt : Cleaned with backup
   C:\WINDOWS\xrfjinatsuq.exe -> Adware.BetterInternet : Cleaned with backup

::Report End[/color]

Incident Status Location

Adware:Adware/Transponder No disinfected c:\windows\system32\dxlsbil.exe
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Daily Weather Forecast\weather.exe
Adware:adware/aurora No disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\SLICK WILLY\FAVORITES\LIVING\Find a Degree.lnk
Adware:adware/apropos No disinfected C:\WINDOWS\SYSTEM32\auto_update_uninstall.log
Adware:adware/aurora No disinfected C:\WINDOWS\SYSTEM32\DrPMon.dll
Adware:adware/sqwire No disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:adware/transponder No disinfected C:\WINDOWS\INF\dlmax.inf
Adware:adware/ipinsight No disinfected C:\WINDOWS\alchem.ini
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.log
Adware:adware/twain-tech No disinfected C:\WINDOWS\twaintec.ini
Spyware:spyware/istbar No disinfected C:\PROGRAM FILES\Daily Weather Forecast
Adware:adware/dealhelper No disinfected C:\WINDOWS\SYSTEM32\DealHelper
Adware:adware/sahagent No disinfected C:\WINDOWS\SYSTEM32\SahImages
Adware:adware/powerscan No disinfected Windows Registry
Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Slick Willy\Desktop\nailfix\Nailfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Slick Willy\Desktop\nailfix.zip[Process.exe]
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\uzfz\uzfzd\uzfzc.dll
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Daily Weather Forecast\weather.exe
Adware:Adware/MBKWBar No disinfected C:\Program Files\MBKWBar\MBKWBar.exe
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029737.exe
Spyware:Spyware/ISTbar No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0030004.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP284\A0030313.dll
Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP297\A0030802.dll
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030931.inf
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030933.inf
Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP302\A0031042.exe
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032073.exe
Adware:Adware/SideFind No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032074.exe
Adware:Adware/SideFind No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032075.exe
Adware:Adware/SideFind No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032077.exe
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032078.exe
Adware:Adware/BTGrab No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032079.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032080.dll
Adware:Adware/DealHelper No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032083.exe
Adware:Adware/DealHelper No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032084.dll
Spyware:Spyware/BargainBuddy No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032085.dll
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032086.exe
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032087.exe
Spyware:Spyware/BetterInet No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032088.exe
Adware:Adware/DealHelper No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032089.exe
Adware:Adware/DealHelper No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032090.exe
Adware:Adware/DealHelper No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032091.exe
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032093.dll
Spyware:Spyware/Dyfuca No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032094.dll
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032097.dll
Adware:Adware/DealHelper No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032098.exe
Adware:Adware/SideFind No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032099.exe
Virus:Trj/Downloader.DZI Disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032100.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032101.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP309\A0032106.exe
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\btgrab.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\dlmax.inf

guestolo · « **Reply #4 on:** August 14, 2005, 09:34:14 AM »

That didn't get it
I need you to Disable SpySweeper and leave it disabled until we have you clean
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

Then do the following
Check for updates with Ewido
If any let it download them and then close it for now, we'll scan later

==Download the Killbox by Option^Explicit. [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Please Save these instructions too a Notepad file on the desktop for reference
Disconnect from the Internet

Run Pocket KillBox.exe

In the killbox program, select the Delete on Reboot option.
Copy the file names below to the clipboard by highlighting them and pressing
Control + C

Killbox files to highlight between dotted lines
===================================================
C:\WINDOWS\system32\vs94sgfd.dll
C:\WINDOWS\yjehlje.exe
c:\windows\system32\dxlsbil.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\WINDOWS\system32\DrPMon.dll
C:\DOCUMENTS AND SETTINGS\SLICK WILLY\FAVORITES\LIVING\Find a Degree.lnk C:\WINDOWS\SYSTEM32\auto_update_uninstall.log
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\INF\dlmax.inf
C:\WINDOWS\alchem.ini
C:\WINDOWS\msbb.log
C:\WINDOWS\twaintec.ini
C:\Program Files\Aprps\ProxyStub.dll
C:\Program Files\Common Files\uzfz\uzfzd\uzfzc.dll
C:\Program Files\MBKWBar\MBKWBar.exe
C:\WINDOWS\Nail.exe

===================================================
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer doesn't restart
Please Restart it now manually into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads, or use the link
I supplied for a more detailed explanation

In safe mode
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- System Startup Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

Open Hijackthis>>Open misc tools section>>Open "Delete an NT service"
Copy and paste, or type the following in bold to the open box and hit OK
SvcProc
Don't restart yet

Instead
Double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Find and delete the following files or folders if they exist
Files
C:\WINDOWS\Nail.exe <-file
C:\WINDOWS\svcproc.exe <-file

Folders
C:\Program Files\Common Files\uzfz <-folder
C:\Program Files\ISTsvc
C:\Program Files\Aprps
C:\Program Files\MBKWBar
C:\Program Files\Daily Weather Forecast
C:\WINDOWS\SYSTEM32\DealHelper
C:\WINDOWS\SYSTEM32\SahImages

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off or Restart when scan is done.

==Open Ewido trojan scanner
Click on the Scanner button on the left menu
Click on the Settings button on the right
Select "Scan Every File"
OK it and then click on the "Complete System Scan"
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

NOTE: When Ewido is running do NOT open any other Windows
Let it do it's job

Do another scan with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode

Back in Windows
Please run another scan at Panda's and show the report when it's done
Also post a fresh hijackthis log and the new log from Ewidos

Guest_Optikal33_* · « **Reply #5 on:** August 14, 2005, 04:02:23 PM »

[color=\"green\"]Logfile of HijackThis v1.99.1
Scan saved at 2:21:34 PM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Slick Willy\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn1\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures01.aim.com/ygp/aol/plugin/u...AIM.9.5.1.6.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = EDDIE
O17 - HKLM\Software\..\Telephony: DomainName = EDDIE
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = EDDIE
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = EDDIE
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

[/color]

[color=\"blue\"]---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         2:20:19 PM, 8/14/2005
+ Report-Checksum:      3438894D

+ Scan result:

   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032197.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032205.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032212.exe -> Adware.BetterInternet : Cleaned with backup
   C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032219.exe -> Adware.BetterInternet : Cleaned with backup
   C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
   C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
   C:\WINDOWS\SYSTEM32\axlbtf.exe -> Trojan.Agent.cp : Cleaned with backup
   C:\WINDOWS\xrfjinatsuq.exe -> Adware.BetterInternet : Cleaned with backup

::Report End[/color]

[color=\"red\"]
Incident Status Location

Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\SLICK WILLY\FAVORITES\LIVING\Find a Degree.lnk
Adware:adware/apropos No disinfected C:\WINDOWS\SYSTEM32\auto_update_uninstall.log
Adware:adware/ncase No disinfected C:\WINDOWS\msbbau.dat
Adware:adware/powerscan No disinfected Windows Registry
Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC
Spyware:spyware/shopnav No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Slick Willy\Desktop\nailfix\Nailfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Slick Willy\Desktop\nailfix.zip[Process.exe]
Virus:Eicar.Mod No disinfected C:\Program Files\PestPatrol\Help.chm[HowCanITestDetection.html]
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP261\A0029737.exe
Spyware:Spyware/ISTbar No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP263\A0030004.exe
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP284\A0030313.dll
Adware:Adware/SpywareNo No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP297\A0030802.dll
Adware:Adware/IPInsight No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030931.inf
Adware:Adware/Twain-Tech No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP300\A0030933.inf
Adware:Adware/SpySheriff No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP302\A0031042.exe
Spyware:Spyware/ISTbar No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032151.exe
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032154.inf
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032157.dll
Adware:Adware/Sqwire No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032158.dll
Adware:Adware/MBKWBar No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032159.exe
Adware:Adware/EnhSrch No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032222.dll
Adware:Adware/Transponder No disinfected C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP311\A0032224.exe
Adware:Adware/BTGrab No disinfected C:\WINDOWS\INF\btgrab.inf
Hacktool:Hacktool/Processor No disinfected E:\nailfix.zip[Process.exe]
[/color]

guestolo · « **Reply #6 on:** August 14, 2005, 04:44:54 PM »

Can you do the following
If Pest Patrol has Spware Realtime protection enabled, please disable it

Find and delete this folder
C:\DOCUMENTS AND SETTINGS\SLICK WILLY\FAVORITES\LIVING <-folder

Open the DSRFix folder you extracted to desktop earlier
Double click on dsrfix.bat
It will open and close on it's own when it's done

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)

O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Run Killbox.exe
Place the following complete paths in bold, one at a time, into the "Full Path of File to Delete" box into Killbox
put a mark next to "Delete on Reboot" and click the red button with the white X after each
It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
If your computer does not restart automatically, please restart it manually.
============================
C:\WINDOWS\SYSTEM32\auto_update_uninstall.log
C:\WINDOWS\msbbau.dat
C:\WINDOWS\INF\btgrab.inf
============================

Please make sure you restart back to Normal mode

After you have booted back to Normal mode
Then run another scan with Hijackthis and post a fresh log

spy_war · « **Reply #7 on:** August 15, 2005, 05:01:10 PM »

heard that dinst.exe file is related to aurora spyware. really nasty thing aurora is. spent half a day to remove it!

Guest · « **Reply #8 on:** August 22, 2005, 09:48:00 AM »

try these instructions how to manually remove spy sheriff

guestolo · « **Reply #9 on:** August 28, 2005, 10:54:47 AM »

Since the original poster has not returned
I'll lock this topic
If you need it reopened, Please PM myself or the site Admin and supply a link to this thread

TheTechGuide Forum

News:

Author Topic: Need Help with SpySheriff (Read 1963 times)

Optikal33

Need Help with SpySheriff

Optikal33

Need Help with SpySheriff

guestolo

Need Help with SpySheriff

Guest_Optikal33_*

Need Help with SpySheriff

guestolo

Need Help with SpySheriff

Guest_Optikal33_*

Need Help with SpySheriff

guestolo

Need Help with SpySheriff

spy_war

Need Help with SpySheriff

Guest

Need Help with SpySheriff

guestolo

Need Help with SpySheriff