Jump to content

Recommended Posts

Hi,

My computer got infected with the Home Search Assistant (HSA) last night. I cannot set my home page anymore. In the Windows Control Panel, there is an entry for Home Search Assistant and Shopping Wizard. When I try to remove these, I am taken to the HSA website and asked to download a removal tool (haven't tried that !).

Here is a copy of my HJ This log. Will really appreciate anyone's help. Thanks very much indeed.

Logfile of HijackThis v1.99.1

Scan saved at 20:03:48, on 11-12-2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\TFNF5.exe

C:\WINDOWS\LTSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\Program Files\VoyagerTest\fts.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\popcorn72.exe

C:\WINDOWS\netyu32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\AOL 9.0\aoltray.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\AOL COMPANION\COMPANION.EXE

C:\WINDOWS\addcy.exe

C:\Documents and Settings\sbsm4067\My Documents\Personal\Software\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vnmxv.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vnmxv.dll/sp.html#77035

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\msblank.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vnmxv.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vnmxv.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vnmxv.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vnmxv.dll/sp.html#77035

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vnmxv.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://extranet.temp.ox.ac.uk/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Class - {0DE45402-8A45-18F3-F6BE-090916EB6476} - C:\WINDOWS\ntys.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {D7E47E65-05F6-4951-8067-BB881BEB58F9} - C:\WINDOWS\system32\peim.dll (file missing)

O2 - BHO: Class - {DF668E96-27EB-767C-CDC7-40ADB11675F2} - C:\WINDOWS\system32\iekj.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [sigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run24.exe dummy

O4 - HKLM\..\Run: [spyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor

O4 - HKLM\..\Run: [spyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\popcorn72.exe rundll.dll,LoadMouseProfile

O4 - HKLM\..\Run: [netyu32.exe] C:\WINDOWS\netyu32.exe

O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "silent" "smartfinder" "2"

O4 - HKLM\..\RunOnce: [addcy.exe] C:\WINDOWS\addcy.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\Software\..\Telephony: DomainName = sbs.ox.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7983E2-E68E-4F15-A3B6-303AAE218723}: NameServer = 129.67.34.1,129.67.34.2,129.67.1.1,129.67.1.180,163.1.2.1

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Link to post
Share on other sites

Download about:buster by RubbeRDuckY Here.

Update About:Buster

  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster

Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

Please run about:buster by RubbeRDuckY:

  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Post the about:buster log and a New Hijackthis log ehre in a reply.

Link to post
Share on other sites

Thanks very much for the quick response.

This is the first About:Buster logfile (after my first safe-mode log-in).

AboutBuster 5.1, reference file 33

Scan started on [12-12-2005] at [12:21:51]

------------------------------------------------

No Ads Found!

------------------------------------------------

Removed File! : C:\WINDOWS\ojlic.dat

Removed File! : C:\WINDOWS\system32\xlyep.dat

------------------------------------------------

Scan was COMPLETED SUCCESSFULLY at 12:22:41

This is the second About:Buster logfile (after my second safe mode log-in).

AboutBuster 5.1, reference file 33

Scan started on [12-12-2005] at [12:39:06]

------------------------------------------------

No Ads Found!

------------------------------------------------

No Files Found!

------------------------------------------------

Scan was COMPLETED SUCCESSFULLY at 12:39:54

This is the HJT logfile (after my second log-in in the safe mode).

Logfile of HijackThis v1.99.1

Scan saved at 12:41:23, on 12-12-2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\sbsm4067\My Documents\Personal\Software\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\azceh.dll/sp.html#77035

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\msblank.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\azceh.dll/sp.html#77035

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://extranet.temp.ox.ac.uk/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Class - {0DE45402-8A45-18F3-F6BE-090916EB6476} - C:\WINDOWS\ntys.dll

O2 - BHO: Class - {148391F7-6EB4-9B26-AECE-A8DF75B9B341} - C:\WINDOWS\system32\ipyo.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {ADEAA3B6-9276-09CD-04E3-6EF1F7854839} - C:\WINDOWS\system32\msji32.dll

O2 - BHO: Class - {CAEBD80E-211A-EE88-458E-BFA21C72DCAF} - C:\WINDOWS\system32\sdkba.dll

O2 - BHO: (no name) - {D7E47E65-05F6-4951-8067-BB881BEB58F9} - C:\WINDOWS\system32\peim.dll (file missing)

O2 - BHO: Class - {DF668E96-27EB-767C-CDC7-40ADB11675F2} - C:\WINDOWS\system32\iekj.dll

O2 - BHO: Class - {EA94B086-CDBC-1A5F-231F-FB067C388DF8} - C:\WINDOWS\system32\ipdw32.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [sigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run24.exe dummy

O4 - HKLM\..\Run: [spyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor

O4 - HKLM\..\Run: [spyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\popcorn72.exe rundll.dll,LoadMouseProfile

O4 - HKLM\..\Run: [netyu32.exe] C:\WINDOWS\netyu32.exe

O4 - HKLM\..\RunOnce: [srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "silent" "smartfinder" "2"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\RunOnce: [srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\Software\..\Telephony: DomainName = sbs.ox.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7983E2-E68E-4F15-A3B6-303AAE218723}: NameServer = 129.67.34.1,129.67.34.2,129.67.1.1,129.67.1.180,163.1.2.1

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks once again. Really appreciate your hlep.

Cheers.

Link to post
Share on other sites

Please download ewido security suite it is a trial version of the program.

  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen

You will need to update ewido to the latest definition files.

  • On the left hand side of the main screen click update
  • Then click on Start Update

The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update ewido.

ewido manual updates

Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

Open Ewido again

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.

Now close ewido security suite.

Reboot and Post the report Ewido made and a new Hijackthis log here in a reply.

Link to post
Share on other sites

This is the eWido report (produced in safe mode).

---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

+ Created on: 15:07:32, 12-12-2005

+ Report-Checksum: 9057B6F0

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{D7E7CCE3-E897-0FF8-81D6-3F27EA1CA24E} -> Spyware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup

HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup

HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup

HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup

HKU\S-1-5-21-796845957-507921405-1202660629-2286\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{25D8BACF-3DE2-4B48-AE22-D659B8D835B0} -> Spyware.RXToolbar : Cleaned with backup

HKU\S-1-5-21-796845957-507921405-1202660629-2286\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3} -> Spyware.Need2Find : Cleaned with backup

HKU\S-1-5-21-796845957-507921405-1202660629-2286\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4E7BD74F-2B8D-469E-90F0-F66AB581A933} -> Spyware.MyWebSearch : Cleaned with backup

HKU\S-1-5-21-796845957-507921405-1202660629-2286\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup

HKU\S-1-5-21-796845957-507921405-1202660629-2286\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7E7CCE3-E897-0FF8-81D6-3F27EA1CA24E} -> Spyware.CoolWebSearch : Cleaned with backup

HKU\S-1-5-21-796845957-507921405-1202660629-2286\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup

HKU\S-1-5-21-796845957-507921405-1202660629-2286\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup

C:\Documents and Settings\Administrator.SBSM4067\Cookies\administrator@122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\Administrator.SBSM4067\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup

C:\Documents and Settings\Administrator.SBSM4067\Cookies\administrator@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup

C:\Documents and Settings\sbsm4067\Cookies\sbsm4067@122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\sbsm4067\Cookies\sbsm4067@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup

C:\Documents and Settings\sbsm4067\Cookies\sbsm4067@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\sbsm4067\Cookies\sbsm4067@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup

C:\Documents and Settings\sbsm4067\Cookies\sbsm4067@microsoftuk.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\sbsm4067\Cookies\sbsm4067@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@adviva[2].txt -> Spyware.Cookie.Adviva : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@cnn.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@counter14.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@counter7.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@ehg-cricinfo.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@ehg-idg.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@ehg-samsungusa.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@ehg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@microsoftuk.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@paycounter[2].txt -> Spyware.Cookie.Paycounter : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@sexlist[1].txt -> Spyware.Cookie.Sexlist : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\Cookies\sbsm4067@www.smartadserver[1].txt -> Spyware.Cookie.Smartadserver : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\dk.dial -> Trojan.Dialer.ay : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\jcnd.exe -> Downloader.Small.bwr : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\lccm.exe -> Downloader.Small.bwr : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\nhan.exe -> Downloader.Small.bwr : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temp\phmp.exe -> Downloader.Small.bwr : Cleaned with backup

C:\Documents and Settings\sbsm4067\Local Settings\Temporary Internet Files\Content.IE5\KA0WV3O1\ccaccess[1].cab/ccaccess.dll -> Dialer.Generic : Cleaned with backup

C:\WINDOWS\addcy.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\adddo.exe -> Downloader.Agent.td : Cleaned with backup

C:\WINDOWS\addwj.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\apphh.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\appxl32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\azceh.dll -> Adware.SearchPage : Cleaned with backup

C:\WINDOWS\d3ho.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\d3zc32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\fbomk.dll -> Adware.SearchPage : Cleaned with backup

C:\WINDOWS\gdejw.dll -> Adware.SearchPage : Cleaned with backup

C:\WINDOWS\haasd.dll -> Adware.SearchPage : Cleaned with backup

C:\WINDOWS\ipmb32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\KB893086.log:ljslf -> Downloader.WinShow.bg : Cleaned with backup

C:\WINDOWS\KB896423.log:wkdwb -> Downloader.Agent.td : Cleaned with backup

C:\WINDOWS\kuilk.dll -> Adware.SearchPage : Cleaned with backup

C:\WINDOWS\mscn.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\netnw32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\netyu32.exe -> Downloader.Agent.td : Cleaned with backup

C:\WINDOWS\ntys.dll -> Downloader.WinShow.bg : Cleaned with backup

C:\WINDOWS\rzors.dll -> Adware.SearchPage : Cleaned with backup

C:\WINDOWS\SBSM4067_KB899588pass.txt:casia -> Downloader.WinShow.bg : Cleaned with backup

C:\WINDOWS\sdkbc.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\system32\addfq.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\system32\atlwp32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\system32\dial32.exe -> Trojan.Dialer.ay : Cleaned with backup

C:\WINDOWS\system32\dpzlp.dll -> Adware.SearchPage : Cleaned with backup

C:\WINDOWS\system32\gmmcr.dll -> Adware.SearchPage : Cleaned with backup

C:\WINDOWS\system32\iekj.dll -> Downloader.WinShow.bg : Cleaned with backup

C:\WINDOWS\system32\ipdw32.dll -> Downloader.WinShow.bg : Cleaned with backup

C:\WINDOWS\system32\ipew32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\system32\ipyo.dll -> Downloader.WinShow.bg : Cleaned with backup

C:\WINDOWS\system32\msji32.dll -> Downloader.WinShow.bg : Cleaned with backup

C:\WINDOWS\system32\ntpm.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\system32\popcorn72.exe -> Downloader.Small.bgv : Cleaned with backup

C:\WINDOWS\system32\sdkat32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\system32\spoolsrv32.exe -> Spyware.FindSpy : Cleaned with backup

C:\WINDOWS\system32\srpcsrv32.dll -> Downloader.Adload.g : Cleaned with backup

C:\WINDOWS\system32\upd796.exe -> Downloader.Small.bgv : Cleaned with backup

C:\WINDOWS\system32\upd819.exe -> Dropper.Agent.ii : Cleaned with backup

C:\WINDOWS\system32\upd970.exe -> Downloader.Small.bpz : Cleaned with backup

C:\WINDOWS\system32\winctrl64.exe -> Downloader.Small.awa : Cleaned with backup

C:\WINDOWS\sysxl32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\sysyj32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\sysyl32.exe -> Trojan.Agent.bi : Cleaned with backup

C:\WINDOWS\Zapotec.bmp:auuxy -> Downloader.Agent.td : Cleaned with backup

::Report End

This is the HJT log (produced in safe mode after eWido scan).

Logfile of HijackThis v1.99.1

Scan saved at 15:13:20, on 12-12-2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\sbsm4067\My Documents\Personal\Software\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\azceh.dll/sp.html#77035

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\system32\msblank.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\azceh.dll/sp.html#77035

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\azceh.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://extranet.temp.ox.ac.uk/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Class - {ADEAA3B6-9276-09CD-04E3-6EF1F7854839} - C:\WINDOWS\system32\msji32.dll (file missing)

O2 - BHO: Class - {CAEBD80E-211A-EE88-458E-BFA21C72DCAF} - C:\WINDOWS\system32\sdkba.dll

O2 - BHO: (no name) - {D7E47E65-05F6-4951-8067-BB881BEB58F9} - C:\WINDOWS\system32\peim.dll (file missing)

O2 - BHO: Class - {DF668E96-27EB-767C-CDC7-40ADB11675F2} - C:\WINDOWS\system32\iekj.dll (file missing)

O2 - BHO: Class - {EA94B086-CDBC-1A5F-231F-FB067C388DF8} - C:\WINDOWS\system32\ipdw32.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [sigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run24.exe dummy

O4 - HKLM\..\Run: [spyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor

O4 - HKLM\..\Run: [spyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent

O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "silent" "smartfinder" "2"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\Software\..\Telephony: DomainName = sbs.ox.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7983E2-E68E-4F15-A3B6-303AAE218723}: NameServer = 129.67.34.1,129.67.34.2,129.67.1.1,129.67.1.180,163.1.2.1

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Workstation NetLogon Service ( 11F

Link to post
Share on other sites

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://pchowtos.co.uk/index.php?page=tutor...tion=view&id=34

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hssbw.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hssbw.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hssbw.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\hssbw.dll/sp.html#77035

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hssbw.dll/sp.html#77035

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hssbw.dll/sp.html#77035

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\hssbw.dll/sp.html#77035

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {ADEAA3B6-9276-09CD-04E3-6EF1F7854839} - C:\WINDOWS\system32\msji32.dll (file missing)

O2 - BHO: Class - {CAEBD80E-211A-EE88-458E-BFA21C72DCAF} - C:\WINDOWS\system32\sdkba.dll

O2 - BHO: (no name) - {D7E47E65-05F6-4951-8067-BB881BEB58F9} - C:\WINDOWS\system32\peim.dll (file missing)

O2 - BHO: Class - {DF668E96-27EB-767C-CDC7-40ADB11675F2} - C:\WINDOWS\system32\iekj.dll (file missing)

O2 - BHO: Class - {EA94B086-CDBC-1A5F-231F-FB067C388DF8} - C:\WINDOWS\system32\ipdw32.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [alij] C:\WINDOWS\system32\run24.exe dummy

O4 - HKLM\..\Run: [d3nh.exe] C:\WINDOWS\d3nh.exe

O4 - HKLM\..\RunOnce: [ntzw32.exe] C:\WINDOWS\system32\ntzw32.exe

O23 - Service: Workstation NetLogon Service ( 11F

Link to post
Share on other sites

Here is the HJT log after fixing the recommended files with HJT in safe-mode.

Logfile of HijackThis v1.99.1

Scan saved at 17:59:48, on 12-12-2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\sbsm4067\My Documents\Personal\Software\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://extranet.temp.ox.ac.uk/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [spyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor

O4 - HKLM\..\Run: [spyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent

O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "silent" "smartfinder" "2"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\Software\..\Telephony: DomainName = sbs.ox.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7983E2-E68E-4F15-A3B6-303AAE218723}: NameServer = 129.67.34.1,129.67.34.2,129.67.1.1,129.67.1.180,163.1.2.1

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Workstation NetLogon Service ( 11F

Link to post
Share on other sites

1. Go to Start > Settings > Control Panel > Add/Remove and uninstall the following.

SpyFighter as its rouge look here http://www.spywarewarrior.com/rogue_anti-spyware.htm

2. Download http://osc.geekstogo.com/cwsserviceremove.reg run it it will ask to merge into the registery say yes.

3. Download CWShredder here to its own folder.

Update CWShredder

* Open CWShredder and click I AGREE

* Click Check For Update

* Close CWShredder

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

4. Then post a new Hijackthis log here in a reply.

Link to post
Share on other sites

1. Had already uninstalled SpyFighter. Have now manually removed the directory from C:.

2. Ran the CWS Shredder. It did not find anything.

3. The HJT log (after completing the above two activities in normal mode and without rebooting the system) is below.

Logfile of HijackThis v1.99.1

Scan saved at 20:59:20, on 12-12-2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

C:\WINDOWS\System32\00THotkey.exe

C:\WINDOWS\system32\TFNF5.exe

C:\WINDOWS\LTSMMSG.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

C:\Program Files\VoyagerTest\fts.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\AOL 9.0\aoltray.exe

C:\WINDOWS\system32\RAMASST.exe

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\sbsm4067\My Documents\Personal\Software\HJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edition.cnn.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://extranet.temp.ox.ac.uk/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [spyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor

O4 - HKLM\..\Run: [spyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent

O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "silent" "smartfinder" "2"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\Software\..\Telephony: DomainName = sbs.ox.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7983E2-E68E-4F15-A3B6-303AAE218723}: NameServer = 129.67.34.1,129.67.34.2,129.67.1.1,129.67.1.180,163.1.2.1

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks.

Link to post
Share on other sites

1. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [spyFighterMonitor] "C:\Program Files\SpyFighter\SpyFighter.exe" monitor

O4 - HKLM\..\Run: [spyFighterUpdate] "C:\Program Files\SpyFighter\AutoUpdate.exe" silent

2. Then post a new Hijackthis log here in a reply.

Link to post
Share on other sites

Here is the HJT log (produced in safe mode after fixing the spyfighter entries).

Logfile of HijackThis v1.99.1

Scan saved at 10:47:18, on 13-12-2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\sbsm4067\My Documents\Personal\Software\HJ\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edition.cnn.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://extranet.temp.ox.ac.uk/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [sigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe

O4 - HKLM\..\Run: [TFNF5] TFNF5.exe

O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe

O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users.WINDOWS\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "silent" "smartfinder" "2"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kav...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aolsvc.aol.co.uk/computercheckup/qdiagcc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\Software\..\Telephony: DomainName = sbs.ox.ac.uk

O17 - HKLM\System\CCS\Services\Tcpip\..\{1F7983E2-E68E-4F15-A3B6-303AAE218723}: NameServer = 129.67.34.1,129.67.34.2,129.67.1.1,129.67.1.180,163.1.2.1

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sbs.ox.ac.uk

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ox.ac.uk,ac.uk,uk

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Thanks.

Link to post
Share on other sites

Your log is clean :D

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.