another victim of cool web search.....i think

[dylan]

hello,

this is the first time i have had difficulty removing bad stuff but i have exhausted all of my leads in fixing my computer. i think things started going badly a couple weeks ago when my wife inadvertently installed cool web search along with one or two other toolbars. any way when i am browsing the internet i get popups. my computer is also running painfully slow. any help would be greatly appreciated.

here is a copy of my hj this log. thank you in advance for any suggestions.

Logfile of HijackThis v1.99.1

Scan saved at 11:06:34 PM, on 11/27/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\ewido\security suite\ewidoguard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

C:\WINDOWS\System32\ICO.EXE

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\KS\KS.exe

C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\WATCH Imaging\Desktop\use to fix computer in safemode\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [MSRegScan] C:\Program Files\KS\KS

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PC Health.lnk = C:\Program Files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download with &Etomi - res://C:\Program Files\Etomi\Plugins\RazaWebHook.dll/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe

O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: Aces Up! by pogo -

O16 - DPF: Buckaroo Blackjack TM by pogo -

O16 - DPF: Checkers by pogo -

O16 - DPF: Cribbage by pogo -

O16 - DPF: Dice Derby by pogo -

O16 - DPF: Double Deuce Poker by pogo -

O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.4.1.46/supe...o-ob-assets.cab

O16 - DPF: High Stakes Pool by pogo -

O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.4.0.34/jigs...w-ob-assets.cab

O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.4.0.34/mahj...g-ob-assets.cab

O16 - DPF: Multiline Slots by pogo -

O16 - DPF: Payday FreeCell by pogo -

O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.0.41/peng...s-ob-assets.cab

O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.37/wate...l-ob-assets.cab

O16 - DPF: Spider Solitaire by pogo -

O16 - DPF: Texas Hold'em Poker by pogo -

O16 - DPF: Tumble Bees by pogo -

O16 - DPF: Video Poker by pogo -

O16 - DPF: Word Whomp Whackdown by pogo -

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -

O20 - AppInit_DLLs: MARX_DEV.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[jwbirdsong]

First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fix

Next, please enable viewing of hidden files as follows:

1) Go to My Computer, and click on the "Tools" menu

2) Click "Folder options"

3) Select the "View" tab

4) Make sure "Show hidden files and folders" is selected

5) Make sure "Hide extensions for known file types" is unchecked

6) Make sure "Hide protected operating system files (recommended)" is unchecked

First I'd like to check on this file, just to be sure that it's not malicious.

• Please go to Jotti's malware scan
• Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
  • C:\Program Files\KS\KS.exe
    

  [*] Click on the submit button

  [*] Please post the results in your next reply.

Next, please reboot your computer in Safe Mode by doing the following:

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
  
• Instead of Windows loading as normal, a menu should appear
  
• Select the first option, to run Windows in Safe Mode.
  

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

Run an Ewido scan in safe mode. <<---- this assumes your version of Ewido is still functional..if not just skip to next section

Reboot back to Normal mode

Please run this online virus scan: ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  - Enter your Country
  - Enter your State/Province
  - Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
  - Select either Home User or Company
  
• Click the big Scan Now button
  
• If/when you get a notice that Panda wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on Local Disks to start the scan
  
• When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop.
  

If for any reason you already have the l2mfix folder and/or exe file; delete what you have and re-download then install since it is constantly updated.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe

http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. It also puts a copy in the l2mfix folder as report.txt. Copy the contents of that log and paste it in a reply this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive an error, similar to the following, while running option #1: ''C:\windows\system32\cmd.exe

C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. Do NOT run the fix portion without fixing this first.

Run HijackThis and get a fresh log. Please post

• New HiajackThis
  
• Result from Panda
  
• Ewido log
  
• the l2mfix report.txt
  
• Result of Jotti Scan of ks.exe
  

in a reply to this thread.....it may take more than one post to get them all in

[dylan]

ok, sorry for delay, got caught up in work.

here are the reports that you asked for.

Logfile of HijackThis v1.99.1

Scan saved at 12:16:10 AM, on 11/30/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

C:\WINDOWS\System32\ICO.EXE

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\KS\KS.exe

C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\WATCH Imaging\Desktop\use to fix computer in safemode\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [MSRegScan] C:\Program Files\KS\KS

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PC Health.lnk = C:\Program Files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download with &Etomi - res://C:\Program Files\Etomi\Plugins\RazaWebHook.dll/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)

O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: Aces Up! by pogo -

O16 - DPF: Buckaroo Blackjack TM by pogo -

O16 - DPF: Checkers by pogo -

O16 - DPF: Cribbage by pogo -

O16 - DPF: Dice Derby by pogo -

O16 - DPF: Double Deuce Poker by pogo -

O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.4.1.46/supe...o-ob-assets.cab

O16 - DPF: High Stakes Pool by pogo -

O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.4.0.34/jigs...w-ob-assets.cab

O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.4.0.34/mahj...g-ob-assets.cab

O16 - DPF: Multiline Slots by pogo -

O16 - DPF: Payday FreeCell by pogo -

O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.0.41/peng...s-ob-assets.cab

O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.37/wate...l-ob-assets.cab

O16 - DPF: Spider Solitaire by pogo -

O16 - DPF: Texas Hold'em Poker by pogo -

O16 - DPF: Tumble Bees by pogo -

O16 - DPF: Video Poker by pogo -

O16 - DPF: Word Whomp Whackdown by pogo -

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -

O20 - AppInit_DLLs: MARX_DEV.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

results from Jotti, ps this is a program that i payed for to log keystrokes and monitor internet activity while i am away from my computer.

POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)

---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

+ Created on: 9:00:21 PM, 11/28/2005

+ Report-Checksum: 84012FB3

+ Scan result:

:mozilla.10:C:\Documents and Settings\WATCH Imaging\Application Data\Mozilla\Firefox\Profiles\xroux68m.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup

:mozilla.11:C:\Documents and Settings\WATCH Imaging\Application Data\Mozilla\Firefox\Profiles\xroux68m.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@ehg-autozone.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@rccl.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\WATCH Imaging\Cookies\watch imaging@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup

::Report End

Incident Status Location

Virus:Trj/Mitglieder.BO Not disinfected Archive Folders\Deleted Items\Mail System Error - Returned Mail\54543.rar[dddd.exe]

Virus:Trj/Mitglieder.BO Not disinfected Archive Folders\Deleted Items\345556.rar[dddd.exe]

Virus:Trj/Mitglieder.BQ Not disinfected Archive Folders\Deleted Items\Mail System Error - Returned Mail\price2.zip[doc_02.exe]

Virus:Trj/Mitglieder.BQ Not disinfected Archive Folders\Deleted Items\price_new.zip[doc_02.exe]

Virus:W32/Bagle.BL.worm Not disinfected Archive Folders\Deleted Items\Registration is accepted\upd02.exe

Virus:JS/Illwill.A Not disinfected Archive Folders\price.zip[price.html]

Virus:W32/Bagle.AM.worm Not disinfected Archive Folders\price.zip[price.exe]

Virus:JS/Illwill.A Not disinfected Archive Folders\newprice.zip[price.html]

Virus:W32/Bagle.AM.worm Not disinfected Archive Folders\newprice.zip[price.exe]

Virus:JS/Illwill.A Not disinfected Archive Folders\price2.zip[price.html]

Virus:W32/Bagle.AM.worm Not disinfected Archive Folders\price2.zip[price.exe]

Virus:JS/Illwill.A Not disinfected Archive Folders\08_price.zip[price.html]

Virus:W32/Bagle.AM.worm Not disinfected Archive Folders\08_price.zip[price.exe]

Virus:Trj/Yacked.A Not disinfected C:\Documents and Settings\WATCH Imaging\Local Settings\Temp\services.exe

Spyware:spyware/virtumonde Not disinfected C:\WINDOWS\dpusys.ini

Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll

i think these are all the logs you requested. thank you for taking the time to assist me with this problem.

[jwbirdsong]

Yeah re: KS-- figured it for a keylogger but there were other possibilities...As long as you know it's there and it's for YOUR use it's fine.

Can you give me any info on this entry O20 - AppInit_DLLs: MARX_DEV.DLL If it's not familiar to you would you search for MARX_DEV.DLL and see what folder it's in and then right click the file>choose properties and post any pertinent info..Company name etc....I can find a few references to this DLL..But not in AppInit so it MAY be a "baddie".

[dylan]

here is the info you asked for......

that dll. you were asking for is a cryto dongle for a special program that i have. made by a company in germany. it is in the windows 32 folder.

on a sidenote i keep getting two messages from kerio, one references c:\windows\system32\creell32.exe was replaced by another application with description creell32.exe. Do you want to accept replacement of this application. i seem to get it when looking at email. the other message is

windows fatal applications exit............kerio personal firewall driver:mactransferdata:invalid buffer tag

?? any ideas on these?

[jwbirdsong]

Well on the first one; creell32.exe; is more than likely most/part/some of the problem with your computer. Lets see if we can find where it is running from.

• Please click and download Silent Runners.
  • * Save it to the desktop.
    *Double clicking the "Silent Runners" icon on your desktop to run it .
    *Now you will see a text file appear on the desktop - t' is NOT done yet, so let it run (it won't appear to be doing anything!)
    * After you receive the "All Done!" prompt, double-click on the new text file on the desktop and copy/paste it here.
    

  *NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

  [*]Please download OldTimer's Winpfind from HERE

  Unzip it to the desktop and run Winpfind.exe.

  Once the scan is finished, please CLOSE the Notepad window that pops up. Then please post the entire contents of the logfile winpfind.txt here for me.

  [*]Please download GetService.zip from HERE

  Extract it to a new folder in the desktop. Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder. It will then open getservice.txt for you.

  getservice.txt will list all active Services. Copy and paste the contents of getservice.txt in your next reply here

  [*]Download Bobbi Fleckman's Regsearch from HERE unzip it to your desktop, or anywhere else you'ld like to keep it.

  Next, please reboot your computer in Safe Mode by doing the following:

  • Restart your computer
    
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
    
  • Instead of Windows loading as normal, a menu should appear
    
  • Select the first option, to run Windows in Safe Mode.
    

  For additional help in booting into Safe Mode, see the following site:

  http://www.pchell.com/support/safemode.shtml

  Now double click on Regsearch.exe>type

  adchannel

  into the TOP section (search for) make sure the bottom section is blank and click OK...Copy and paste the resulting log back here

  NOTE the above regsearch MUST be done in safemode to be effective

  [*]Did you recently uninstall Shareeza?? <<---- May be quite pertinent

Disreagrd the may be pertinent part...... I guess I was just having a moment.

[dylan]

no i do not believe that i have taken any sharezea off of here. here are the logs.

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"PlaxoUpdate" = "C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a" ["Plaxo, Inc."]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Tpwrtray" = "TPWRTRAY.EXE" ["TOSHIBA Corporation"]

"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]

"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]

"PmProxy" = "C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" ["adi"]

"Mouse Suite 98 Daemon" = "ICO.EXE" ["Primax Electronics Ltd."]

"DataCaching" = "C:\PROGRA~1\DATACA~1\FLashKsk.exe" [" "]

"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]

"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]

"freesurfer" = "C:\Program Files\Free Surfer\fs20.exe" [file not found]

"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]

"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]

"Pinger" = "c:\toshiba\ivp\ism\pinger.exe /run" ["TOSHIBA Corporation"]

"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" [file not found]

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" [file not found]

"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" [file not found]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"VcCleanUp.exe" = "C:\DOCUME~1\WATCHI~1\LOCALS~1\Temp\VcCleanUp.exe /F C:\PROGRA~1\COMMON~1\SYMANT~1\LiveReg\ /RemoveAll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

{4A368E80-174F-4872-96B5-0B27DDD11DB2}\(Default) = "SpywareGuard Download Protection"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\dlprotect.dll" [null data]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = "UberButton Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]

{65D886A2-7CA7-479B-BB95-14D1EFB7946A}\(Default) = "YahooTaggedBM Class" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\YIeTagBm.dll" ["Yahoo! Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"

-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"]

"{03FF3962-D823-11D4-97F0-009027769C61}" = "Data Caching Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\DATACA~1\FlashShl.dll" [" "]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]

"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

INFECTION WARNING! "{81559C35-8464-49F7-BB0E-07A383BEF910}" = "SpywareGuard.Handler" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\SpywareGuard\spywareguard.dll" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "MARX_DEV.DLL" ["MARX CryptoTech LP"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:

-----------------------------

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Startup items in "WATCH Imaging" & "All Users" startup folders:

---------------------------------------------------------------

C:\Documents and Settings\WATCH Imaging\Start Menu\Programs\Startup

"SpywareGuard" -> shortcut to: "C:\Program Files\SpywareGuard\sgmain.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]

"PC Health" -> shortcut to: "C:\Program Files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs" [null data]

Enabled Scheduled Tasks:

------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\pavlsp.dll ["Panda Software "], 01 - 02, 08

%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 09 - 26

%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07

Toolbars, Explorer Bars, Extensions:

------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]

-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\

"ButtonText" = "Yahoo! Services"

"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"

-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo!"]

{AFC3FA82-AD07-45CD-8B57-983435B9899E}\

"ButtonText" = "Free Surfer"

"MenuText" = "Free Surfer"

"Exec" = "C:\Program Files\Free Surfer\FS20.exe" [file not found]

Miscellaneous IE Hijack Points

------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):

[strings]: START_PAGE_URL=http://www.toshiba.com

Missing lines (compared with English-language version):

[strings]: 1 line

HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

HIJACK WARNING! "RoxioOfflineInformation" = "C:\Program Files\Roxio\PhotoSuite 4\Internet\OfflineInformation.html" [file not found]

HIJACK WARNING! "RoxioNavigationCanceled" = "C:\Program Files\Roxio\PhotoSuite 4\Internet\NavigationCanceled.html" [file not found]

HIJACK WARNING! "RoxioWelcome" = "C:\Program Files\Roxio\PhotoSuite 4\Internet\W_Welcome.html" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]

Cisco Systems, Inc. VPN Service, CVPND, "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" ["Cisco Systems, Inc."]

ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

Print Monitors:

---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Brother MFL Port\Driver = "brmfpmon.dll" ["Brother Industries,Ltd."]

hpzlnt07\Driver = "hpzlnt07.dll" ["HP"]

hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]

LPR Port\Driver = "lprmon.dll" [MS]

Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]

----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 567 seconds, including 19 seconds for message boxes)

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

[jwbirdsong]

dylan,

I got called out of town for a couple of days but I'm back now....as soon as I get a little sleep I'll review your logs and get back to you..should be in the next 8-10 hrs or so.

[dylan]

dylan,

I got called out of town for a couple of days but I'm back now....as soon as I get a little sleep I'll review your logs and get back to you..should be in the next 8-10 hrs or so.

ok, i was worried that i was going to have to start from scratch. Get some sleep. i will check back here throughout the day.

[jwbirdsong]

Well the good news is I've gone through your logs; the OTHER new is there is no sign of any malware in them.......I do; however see a problem that could be causing SERIOUS issues with the computer. You seem to be running 2 if not 3 different Anti-Virus programs.....Avast..AVG7 and there are signs of Norton (probably removed in the past?) While an Anti Virus is a MUST have, running more than one is problematic at best as they will 'fight' for control/resources of/in the system. This can/will cause poor performance; system errors and shutdowns. Pick the one you like best and uninstall the other(s).

Are you still having specific problem that you are relating to Malware?? If so any specifics you can give will be helpful in tracking anything else down,

But I'm thinking Ewido has taken care of most of our problems. Also please post an updated HijackThis log with next reply please. Did you do the regsearch for adchannel in safe mode and just come up with no results??

[dylan]

perhaps i forgot to include this one in the post or it got clipped. not sure but here it is.

REGEDIT4

; Registry Search by Bobbi Flekman

[jwbirdsong]

how about a HijackThis and the SAFEMODE regsearch for adchannel (my second post)

Also since you have hidden files showing have you done a search for the mysterious creell32.exe and submit it to Jotti's link (1st post)

[dylan]

i believe that the log posted are the results from the safemode search. i might be mistaken though. and here is my hjt log. also i have searched for that file and it does not come up in the results.

Logfile of HijackThis v1.99.1

Scan saved at 9:00:13 PM, on 12/4/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

C:\WINDOWS\System32\ICO.EXE

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\toshiba\ivp\ism\pinger.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\WATCH Imaging\Desktop\use to fix computer in safemode\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"

O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [freesurfer] C:\Program Files\Free Surfer\fs20.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [MSRegScan] C:\Program Files\KS\KS

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PC Health.lnk = C:\Program Files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download with &Etomi - res://C:\Program Files\Etomi\Plugins\RazaWebHook.dll/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)

O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: Aces Up! by pogo -

O16 - DPF: Buckaroo Blackjack TM by pogo -

O16 - DPF: Checkers by pogo -

O16 - DPF: Cribbage by pogo -

O16 - DPF: Dice Derby by pogo -

O16 - DPF: Double Deuce Poker by pogo -

O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.4.1.46/supe...o-ob-assets.cab

O16 - DPF: High Stakes Pool by pogo -

O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.4.0.34/jigs...w-ob-assets.cab

O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.4.0.34/mahj...g-ob-assets.cab

O16 - DPF: Multiline Slots by pogo -

O16 - DPF: Payday FreeCell by pogo -

O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.0.41/peng...s-ob-assets.cab

O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.37/wate...l-ob-assets.cab

O16 - DPF: Spider Solitaire by pogo -

O16 - DPF: Texas Hold'em Poker by pogo -

O16 - DPF: Tumble Bees by pogo -

O16 - DPF: Video Poker by pogo -

O16 - DPF: Word Whomp Whackdown by pogo -

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -

O20 - AppInit_DLLs: MARX_DEV.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[jwbirdsong]

That regsearch is for COOLWEB..

Results at 12/1/2005 9:04:03 PM for strings:

; 'coolsearch'

; 'coolweb'

I need one for adchannel and ONLY adchannel while in safe mode...in the mean time I'll review you log and were you able to find creell32.exe? My guess is it is in C:\WINDOWS\system32

What version of Kerio are you using??

[dylan]

That regsearch is for COOLWEB.. I need one for adchannel and ONLY adchannel while in safe mode...in the mean time I'll review you log and were you able to find creell32.exe? My guess is it is in C:\WINDOWS\system32

What version of Kerio are you using??

2.1.5 version of kerio

i looked in the system 32 folder and do not see it. i will do the search right now.

[jwbirdsong]

I know it's easy to get term/tools and things mixed up;especially when you are not used to dealing with them on a daily basis. Maybe I could have been a little clearer, sorry. Yeah if you would do both the adchannel regsearch (post #2) and a start>search>creell32.exe> make sure to check "search system and hidden folder" under Options for the search

[jwbirdsong]

You will need to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:

http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
  
• Instead of Windows loading as normal, a menu should appear
  
• Select the first option, to run Windows in Safe Mode.
  

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.

[jwbirdsong]

For the sake of record and so people who may review this thread later...the Contents of regsearch for adchannel which DO indicat the Apropros Rootkit..

REGEDIT4

; Registry Search by Bobbi Flekman

[dylan]

ok, here is the log u requested.

Log of AproposFix v1

************

Running from directory:

C:\Documents and Settings\WATCH Imaging\Desktop\use to fix computer in safemode\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\C0XltAHFLUs5]

@="ODQKOfdZaaZaaba1DB4. qZaaZpca5v q\\51a1XRSDLgfaCQHUDQRaRDBKLRAVbRXR"

"Device"="\\\\.\\SecVPND"

"DriverPath"="C:\\WINDOWS\\System32\\drivers\\seclmsbw.sys"

"DriverName"="perlp20"

"HideUninstallerName"="C:\\Program Files\\Tosesync\\dwwxscom.exe"

"UninstallerPath"="C:\\WINDOWS\\System32\\savplaw7.exe"

"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{3942A650-517A-4FFA-A3EC-A6227F209E8B}"

"UninstallerParams"="/CTUN"

"HDll"="C:\\WINDOWS\\System32\\smsmnmdd.dll"

"ServerAddress"="adchannel.contextplus.net"

"LegalNote"="http://adchannel.contextplus.net/legal-note/nonbranded.html"

"PartnerId"="CP.IST2"

"InstallationId"="{X920eb1b-6cdb-412f-445d-0d7693e29971}"

"PageFiltering"=dword:00000001

"ClientName"="C:\\Program Files\\Tosesync\\rtuinsrv.exe"

************

Removing hidden service:

Service perlp20 removed.

Removing hidden folder:

Deletion of folder Tosesync succeeded!

Deleting files:

Deletion of file C:\WINDOWS\System32\drivers\seclmsbw.sys succeeded!

Deletion of file C:\WINDOWS\System32\creell32.exe succeeded!

Deletion of file C:\WINDOWS\System32\smsmnmdd.dll succeeded!

Deletion of file C:\WINDOWS\System32\savplaw7.exe succeeded!

Backing up files:

Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\C0XltAHFLUs5]

[-HKEY_LOCAL_MACHINE\Software\C0XltAHFLUs5]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3942A650-517A-4FFA-A3EC-A6227F209E8B}]

Done!

Finished!

it appears that the mac buffer error has been resolved. and evidently as of yet creell i still dead.

[jwbirdsong]

Creell will NOT be back...I'm SURE it was being called by the Rootkit..FWIW to anyone reading this in the future; a kernel level error like this on your Firewall is a good indication of a Rootkit.

I know you are about sick of this dylan but will you post a FINAL HijackThis log for review and some final instruction.

[dylan]

No problem. i am a pro at running that one by now. can you tell me what was wrong with my computer....how it got wrong and how to avoid it in the future? This forum has been absolutely helpful and i would recommend it to anyone have above average difficulties with their computers.

Logfile of HijackThis v1.99.1

Scan saved at 10:14:50 PM, on 12/4/2005

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\TPWRTRAY.EXE

C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

C:\WINDOWS\System32\ICO.EXE

C:\PROGRA~1\DATACA~1\FLashKsk.exe

C:\Program Files\Apoint2K\Apoint.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

C:\toshiba\ivp\ism\pinger.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Kerio\Personal Firewall\persfw.exe

C:\WINDOWS\System32\snmp.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\KS\KS.exe

C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\WATCH Imaging\Desktop\use to fix computer in safemode\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {0EEDB912-C5FA-486F-8334-57288578C627} - (no file)

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE

O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe

O4 - HKLM\..\Run: [PmProxy] C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe

O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE

O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

O4 - HKLM\..\Run: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [MSRegScan] C:\Program Files\KS\KS

O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.4.1.5\InstallStub.exe -a

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: PC Health.lnk = C:\Program Files\Toshiba\TOSHIBA Management Console\TOSHealthLocalS.vbs

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download with &Etomi - res://C:\Program Files\Etomi\Plugins\RazaWebHook.dll/3000

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)

O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe (file missing)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com

O16 - DPF: Aces Up! by pogo -

O16 - DPF: Buckaroo Blackjack TM by pogo -

O16 - DPF: Checkers by pogo -

O16 - DPF: Cribbage by pogo -

O16 - DPF: Dice Derby by pogo -

O16 - DPF: Double Deuce Poker by pogo -

O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.4.1.46/supe...o-ob-assets.cab

O16 - DPF: High Stakes Pool by pogo -

O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-6.4.0.34/jigs...w-ob-assets.cab

O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.4.0.34/mahj...g-ob-assets.cab

O16 - DPF: Multiline Slots by pogo -

O16 - DPF: Payday FreeCell by pogo -

O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.4.0.41/peng...s-ob-assets.cab

O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.0.37/wate...l-ob-assets.cab

O16 - DPF: Spider Solitaire by pogo -

O16 - DPF: Texas Hold'em Poker by pogo -

O16 - DPF: Tumble Bees by pogo -

O16 - DPF: Video Poker by pogo -

O16 - DPF: Word Whomp Whackdown by pogo -

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -

O20 - AppInit_DLLs: MARX_DEV.DLL

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall\persfw.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[jwbirdsong]

Congratulations, your log is clean. How your computer got that way is answered in the last link in this post the HOW DID I GET INFECTED speech..make sure to read AND follow the guidance of it..I see you are off to a good start with SpywareGuard and Blaster!! As for the infection it's a fairly new CREEPY/INVISIBLE infection called a ROOTKIT; some lite reading on it HERE

OR HERE

AND HERE

If you really want to look into it a Google search for apropos Rootkit returns 17,000 hits.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.

• * Click Start.
  * Open My Computer.
  * Select the Tools menu and click Folder Options.
  * Select the View tab.
  * Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  * CHECK the Hide protected operating system files (recommended) option.
  * Click Yes to confirm.
  * Click OK.
  

Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

• 1. Turn off System Restore.
  • On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.
    

2. Restart your computer.

3. Turn ON System Restore.

• On the Desktop, right-click My Computer.
  Click Properties.
  Click the System Restore tab.
  UN-Check Turn off System Restore.
  Click Apply, and then click OK.
  

System Restore will now be active again.

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at link in my signature

Make SURE to read How Did I Get Infected in the First Place??