Author Topic: Wallpaper hijacked (Read 1875 times)

ajteg · « **on:** January 02, 2006, 10:51:30 PM »

My wallpaper has been hijacked....it says something about a spyware infection (blue screen with a black box in the middle)

I ran a spyware remover and got rid of everything but i still cant get change my background?

here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:45 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\DOCUME~1\Aaron\LOCALS~1\Temp\Temporary Directory 10 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LOPTCON] Kargo.exe
O4 - HKLM\..\Run: [srbho] utsgmon.exe
O4 - HKLM\..\Run: [zxc] driver64.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SysSupport] prcmon.exe
O4 - HKCU\..\Run: [SysEntry] xwiz.exe
O4 - HKCU\..\Run: [MONITER] progmen.exe
O4 - HKCU\..\Run: [SetupExeDll] Testimonials.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Documents and Settings\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Documents and Settings\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{443D0FCF-A176-4F79-8805-D71914BAFC3A}: NameServer = 85.255.116.73,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DAF0E8C-5F63-43FC-A0CC-7BEA2637FAD9}: NameServer = 85.255.116.73,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{55CD903F-54B0-4D27-87C3-54DD130201B1}: NameServer = 85.255.116.73,85.255.112.221
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

what now???

guestolo · « **Reply #1 on:** January 02, 2006, 11:10:45 PM »

Welcome ajteg
Can you do the following please

Redownload Hijackthis from my signature below
Save it too a permanent folder on your harddrive
ONLY run hijackthis from this new location

Can you make sure that Norton's script blocking is disabled
It will interfere with the fixes we are about to do

Code: [Select]

To disable Norton AntiVirus Script Blocking

   1. Start Norton AntiVirus.
	  If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
   2. Click Options.
	  If you see a menu, click Norton AntiVirus.
   3. In the left pane, click Script Blocking.
   4. In the right pane, uncheck Enable Script Blocking (recommended).
   5. Click OK.

After that is done
Print out the rest of these instructions
In the event you don't have a printer, Save the rest of these instructions to a Notepad file saved to your desktop

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch.
Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [LOPTCON] Kargo.exe
O4 - HKLM\..\Run: [srbho] utsgmon.exe
O4 - HKLM\..\Run: [zxc] driver64.exe

O4 - HKCU\..\Run: [SysSupport] prcmon.exe
O4 - HKCU\..\Run: [SysEntry] xwiz.exe
O4 - HKCU\..\Run: [MONITER] progmen.exe
O4 - HKCU\..\Run: [SetupExeDll] Testimonials.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O17 - HKLM\System\CCS\Services\Tcpip\..\{443D0FCF-A176-4F79-8805-D71914BAFC3A}: NameServer = 85.255.116.73,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DAF0E8C-5F63-43FC-A0CC-7BEA2637FAD9}: NameServer = 85.255.116.73,85.255.112.221
O17 - HKLM\System\CCS\Services\Tcpip\..\{55CD903F-54B0-4D27-87C3-54DD130201B1}: NameServer = 85.255.116.73,85.255.112.221

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer again

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
We'll still have some more work to do!

Can you let me know what Spyware Cleaner you ran please

NOTE: If you have problems with your Internet connection after running the fix
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.

ajteg · « **Reply #2 on:** January 02, 2006, 11:37:02 PM »

here is the C:\fixwareout\report

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\jydmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSDDU.EXE
C:\WINDOWS\SYSTEM32\CSIOK.EXE
C:\WINDOWS\SYSTEM32\DMDYJ.EXE
C:\WINDOWS\SYSTEM32\DMUNE.EXE
C:\WINDOWS\SYSTEM32\DMZBS.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

and here is the hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:35:36 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dmxtz.exe] C:\WINDOWS\system32\dmxtz.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Documents and Settings\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Documents and Settings\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I ran spyware vanisher.

guestolo · « **Reply #3 on:** January 03, 2006, 12:03:27 AM »

Spyware Vanisher is bogus
If you still have it installed and didn't get convinced to pay for it
Remove it now please
Reboot if prompted

Let's get some better tools on your computer that will do a better job

==Download and Install
Windows Cleanup! 4.0
Don't run this yet,

Download SmitRem.exe by Noahdfear and save the file to your desktop.
DO NOT run it yet

Download and then Install
Ewido anti-malware 3.5

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/

If you don't have the latest version of Ad-Aware
Download and Install Ad-Aware SE Personal 1.06
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet
==In the event you already have Ad-aware, check for updates now please

Save the rest of these instructions to a Notepad file saved to your desktop or Print them out for use in safe mode

Do a "System scan only" with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [dmxtz.exe] C:\WINDOWS\system32\dmxtz.exe

After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu

=Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Double click on SmitRem.exe to extract it to it's own folder on the desktop.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish. Remain in safe mode

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
*1. Perform Action = Remove
*2. Create Encrypted Backup in Quarantine (Recommended)
*3. Perform action with all infections
Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Open Ad-Aware
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

Reboot back to Normal mode
Can you post back the following please

1. Post back a fresh hijackthis log
2. Post the whole contents of the Ewido report
3. Post the Whole log made from SmitRem located here C:\Smitfiles.txt

NOTE: Don't run a scan with Norton's or any others until I have a chance to see these logs please

ajteg · « **Reply #4 on:** January 03, 2006, 11:32:05 AM »

hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 11:29:24 AM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKENW\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Documents and Settings\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Documents and Settings\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ewido Report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on:         2:10:14 AM, 1/3/2006
+ Report-Checksum:      862F949

+ Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
   HKLM\SOFTWARE\Classes\CLSID\{38BCC2CD-AF0A-EC41-D4CB-035F1C7378C9} -> Spyware.CoolWebSearch : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{D273D427-57C6-4B12-860F-BBB8195F6E2A} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Classes\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} -> Spyware.TOPicks : Cleaned with backup
   HKLM\SOFTWARE\Classes\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498} -> Spyware.P2PNetworking : Cleaned with backup
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
   HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00D6A7E7-4A97-456F-848A-3B75BF7554D7} -> Spyware.KeenValue : Cleaned with backup
   HKU\S-1-5-21-169608750-3286794410-2299174567-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
   HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00D6A7E7-4A97-456F-848A-3B75BF7554D7} -> Spyware.KeenValue : Cleaned with backup
   C:\Documents and Settings\Aaron\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
   C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
   C:\Program Files\MediaLoads\v1\ML.exe -> Spyware.DownloadWare : Cleaned with backup
   C:\Program Files\TopSearch.dll -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Downloader.Small.Lb : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP562\A0083922.EXE -> Spyware.MyWay : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP562\A0083923.DLL -> Spyware.MyWay : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0084077.dll -> Spyware.SBSoft : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0084911.DLL -> Spyware.MyWay : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0084912.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0084917.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0084918.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0085911.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0085918.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0085919.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0085929.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0085936.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP563\A0085937.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085954.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085961.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085963.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085972.DLL -> Spyware.P2PNetworking : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085973.exe -> Spyware.P2PNetworking : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085975.exe -> Downloader.Zlob.cj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085980.dll -> Not-A-Virus.Downloader.Win32.Spax.a : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085981.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085988.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085989.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085995.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0085999.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086003.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086011.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086016.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086018.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086035.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086042.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086044.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086049.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086057.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086058.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086063.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086070.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086071.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086075.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086082.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP564\A0086083.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0086098.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0086100.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0086108.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0086113.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0086115.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0086122.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0086128.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP565\A0086130.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP566\A0086151.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP566\A0086154.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP567\A0086233.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP567\A0086237.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP567\A0086241.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP567\A0086247.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP567\A0086253.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP567\A0086255.exe -> Trojan.DNSChanger.R : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP568\A0086282.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP568\A0086290.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP568\A0086296.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP568\A0086301.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP568\A0086307.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP569\A0086313.exe -> Downloader.Agent.sy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP569\A0086318.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP569\A0086324.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP569\A0086326.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP569\A0086332.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP569\A0086340.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP569\A0086346.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP569\A0086354.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP569\A0086360.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP570\A0086375.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP570\A0086381.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP570\A0086389.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP570\A0086395.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP572\A0086438.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP572\A0086446.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP573\A0086460.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP573\A0086463.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP573\A0086475.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP573\A0086480.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP573\A0086497.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP573\A0086501.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP574\A0086508.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP574\A0087495.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP574\A0087501.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP574\A0087509.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP574\A0087515.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP575\A0087525.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP575\A0087538.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP575\A0087542.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP575\A0087549.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP575\A0087556.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP575\A0087572.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP575\A0087579.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP576\A0087623.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP576\A0087629.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP577\A0087645.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP577\A0087651.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0088645.exe -> Downloader.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089651.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089662.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089674.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089685.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089689.exe -> Trojan.Favadd.an : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089690.exe -> Hijacker.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089691.exe -> Trojan.Qhost.df : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089692.exe -> Hijacker.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089693.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089694.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089698.exe -> Downloader.Small.buy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089699.exe -> Downloader.Small.buy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089700.exe -> Downloader.Small.buy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089701.exe -> Downloader.Agent.sy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP578\A0089724.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP579\A0089734.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP580\A0089743.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP580\A0089755.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP581\A0089769.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP582\A0089779.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP582\A0089802.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0089817.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP583\A0090817.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090823.exe -> Downloader.Agent.sy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090824.dll -> Spyware.SBSoft : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090825.exe -> Hijacker.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090826.exe -> Trojan.Dialer.ay : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090837.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090843.exe -> Adware.SpySheriff : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090845.dll -> Adware.SpySheriff : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090846.dll -> Spyware.SpywareNo : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090848.dll -> Adware.SpySheriff : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090861.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090874.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090886.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090895.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP584\A0090903.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP585\A0090939.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0090962.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0090978.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0091002.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0091010.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0091328.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586\A0091340.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0091354.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0092340.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0092352.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0092361.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093363.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093384.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093390.exe -> Downloader.Small.byj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093393.exe -> Hijacker.Small : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093394.exe -> Trojan.Qhost.df : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093395.exe -> Spyware.Msnagent : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093396.exe -> Spyware.FindSpy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093400.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093401.exe -> Downloader.Small.awa : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093402.exe -> Downloader.Agent.sy : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093461.exe -> Adware.Spyaxe : Cleaned with backup
   C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP587\A0093463.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
   C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> Downloader.WebP2PInstaller : Cleaned with backup
   C:\WINDOWS\QWFyb24\asappsrv.dll -> Spyware.CommAd : Cleaned with backup
   C:\WINDOWS\QWFyb24\command.exe -> Adware.CommAd : Cleaned with backup
   C:\WINDOWS\SYSTEM32\csddu.exe -> Downloader.Small : Cleaned with backup
   C:\WINDOWS\SYSTEM32\dmune.exe -> Downloader.Small.byj : Cleaned with backup
   C:\WINDOWS\SYSTEM32\dmxtz.exe -> Downloader.Small.byj : Cleaned with backup
   C:\WINDOWS\SYSTEM32\dmzbs.exe -> Downloader.Small.byj : Cleaned with backup
   C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
   C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup

::Report End

SmitRem log:

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 01/03/2006
The current time is: 0:32:29.26

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SpyAxeFix © by noahdfear

spyaxe directory present

spyaxe uninstaller present

Starting spyaxe uninstaller

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

SpyAxe

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

1024 dir
ncompat.tlb

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 752 'explorer.exe'
Killing PID 752 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

SpyAxe

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #5 on:** January 03, 2006, 11:22:10 PM »

There may still be bad guys on your computer

Can you delete this folder if found
C:\Program Files\SpyAxe <-folder

From my signature below
Use Internet Explorer
==From my signature below, use Internet Explorer and run an Online Virus scan at Panda's
It's safe to supply them with an email address and additional info needed
When it's loaded
Choose to scan "Local Disks"
When the scan is done, if anything is found
Click the See Report
Save this report to your desktop

and then post the finding back here please

ajteg · « **Reply #6 on:** January 04, 2006, 07:06:19 AM »

Incident Status Location

Virus:Exploit/iFrame Not disinfected C:\Documents and Settings\Aaron\Local Settings\Application Data\Microsoft\MSN\db\Mail (integara01Email Removed)\stm0xe000017.000
Virus:Exploit/iFrame Not disinfected C:\Documents and Settings\Aaron\Local Settings\Application Data\Microsoft\MSN\db\Mail (integara01Email Removed)\stm0xe000017.000[~0000001.~]
Adware:Adware/SaveNow Not disinfected C:\Program Files\SaveNow\Uninst.exe
Adware:adware/keenvalue Not disinfected C:\WINDOWS\browserxtras\pn\remove.exe
Adware:Adware/Transponder Not disinfected C:\WINDOWS\INF\polmx2.inf
Adware:adware/ieplugin Not disinfected C:\WINDOWS\kwv2.dat
Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\csiok.exe

guestolo · « **Reply #7 on:** January 05, 2006, 01:38:14 AM »

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete the following files or folders

C:\Program Files\SaveNow <-folder
C:\WINDOWS\browserxtras <-folder
C:\WINDOWS\INF\polmx2.inf <-file
C:\WINDOWS\kwv2.dat <-file
C:\WINDOWS\SYSTEM32\csiok.exe <-file

The forum doesn't allow posting email addresses, this also effects any logs posted
Delete the following files too, you will have to replace integara01Email Removed
with your proper email address
C:\Documents and Settings\Aaron\Local Settings\Application Data\Microsoft\MSN\db\Mail (integara01Email Removed)\stm0xe000017.000
Virus:Exploit/iFrame Not disinfected C:\Documents and Settings\Aaron\Local Settings\Application Data\Microsoft\MSN\db\Mail (integara01Email Removed)\stm0xe000017.000[~0000001.~]

Post back and let and let me know how things are running
We have to do some final cleanup!

ajteg · « **Reply #8 on:** January 05, 2006, 03:57:38 PM »

my computer seems to be running great! I cant tell you how much i appreciate all of this!

guestolo · « **Reply #9 on:** January 06, 2006, 11:36:53 PM »

You can go back and hide hidden files and folders now that everything is back to normal
Also, reenable Script blocking in Norton's if you disabled it earlier

If everything is running better, please do the following
You should disable system restore>>Reboot your computer>>and then reenable it
This will clear all your restore points and ensure you don't restore any nasties
How to Disable and Re-enable System Restore feature
Make sure you reenable system restore feature

Afterwards, For added protections
You should install this free tool
SpywareBlaster 3.5.1 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

Another great tool to use on a regular basis
Spybot 1.4 can be downloaded from
HERE
or HERE

After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check, and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED

If anything is found and fixed in RED, be sure to reboot the computer afterwards
Do the above after every update

TheTechGuide Forum

News:

Author Topic: Wallpaper hijacked (Read 1875 times)

ajteg

Wallpaper hijacked

guestolo

Wallpaper hijacked

ajteg

Wallpaper hijacked

guestolo

Wallpaper hijacked

ajteg

Wallpaper hijacked

guestolo

Wallpaper hijacked

ajteg

Wallpaper hijacked

guestolo

Wallpaper hijacked

ajteg

Wallpaper hijacked

guestolo

Wallpaper hijacked