29 replies to this topic

[stanbates]

when using google search if i click a results im directed to casino web sites ive run the hijack this and ive attached the log. help needed asap, and Im new to this.

Logfile of HijackThis v1.99.1
Scan saved at 23:50:01, on 29/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Documents and Settings\Toshiba\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {58927658-416E-603D-CBF2-616D272328D2} - bingo9.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ftbar] borlandg.exe
O4 - HKLM\..\Run: [BoundRec] panel_its.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [JAguAr] corrida.exe
O4 - HKCU\..\Run: [browsebar] ERTYDF.exe
O4 - HKCU\..\Run: [install2] NopeZ.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1133290501095
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF78283-1501-4892-9F86-942C6CCE25CD}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{49956329-33B9-4BB8-8CA0-A0CD9613F2E2}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{68A5146F-1F7E-4C0D-BB17-18236F124DA3}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{69CF0FCC-1BC6-48AB-BB13-6A45185FC3C8}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6D02929-0C5A-4617-B0C0-BD25E7AF8E16}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF78283-1501-4892-9F86-942C6CCE25CD}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AF78283-1501-4892-9F86-942C6CCE25CD}: NameServer = 85.255.115.3,85.255.112.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[stanbates]

I have just downloaded firefox and it doesnt have the same problems, so Im assuming its to do with IE?????

[rridgely]

Your pretty infected with spyware. Follow this.
http://forum.ccleane...?showtopic=3505

Then reboot and post a new log.

[stanbates]

Thanks. Here is the new report. When some of the items were being removed, there were errors when deleting apparently. Should I post that log too?

Logfile of HijackThis v1.99.1
Scan saved at 17:28:41, on 30/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Toshiba\Desktop\hijackthis(2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {58927658-416E-603D-CBF2-616D272328D2} - bingo9.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ftbar] borlandg.exe
O4 - HKLM\..\Run: [BoundRec] panel_its.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [JAguAr] corrida.exe
O4 - HKCU\..\Run: [browsebar] ERTYDF.exe
O4 - HKCU\..\Run: [install2] NopeZ.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133290501095
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF78283-1501-4892-9F86-942C6CCE25CD}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{49956329-33B9-4BB8-8CA0-A0CD9613F2E2}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{68A5146F-1F7E-4C0D-BB17-18236F124DA3}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{69CF0FCC-1BC6-48AB-BB13-6A45185FC3C8}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6D02929-0C5A-4617-B0C0-BD25E7AF8E16}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF78283-1501-4892-9F86-942C6CCE25CD}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AF78283-1501-4892-9F86-942C6CCE25CD}: NameServer = 85.255.115.3,85.255.112.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[stanbates]

It was the ewido report I was talikng about above:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 16:48:19, 30/12/2005
+ Report-Checksum: 9BBAF65E

+ Scan result:

[872] VM_00D80000 -> Downloader.Agent.uj : Error during cleaning
[896] VM_00C00000 -> Downloader.Agent.uj : Error during cleaning
[1744] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning
[3016] VM_003C0000 -> Downloader.Agent.uj : Error during cleaning
[3296] VM_00A50000 -> Downloader.Agent.uj : Error during cleaning
[3608] VM_00900000 -> Downloader.Agent.uj : Error during cleaning
[3624] VM_009A0000 -> Downloader.Agent.uj : Error during cleaning
[3816] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning
[3828] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning
[3904] VM_00A40000 -> Downloader.Agent.uj : Error during cleaning
[3916] VM_009C0000 -> Downloader.Agent.uj : Error during cleaning
[3988] VM_00AA0000 -> Downloader.Agent.uj : Error during cleaning
[4048] VM_00A20000 -> Downloader.Agent.uj : Error during cleaning
[4072] VM_00870000 -> Downloader.Agent.uj : Error during cleaning
[1964] VM_00D90000 -> Downloader.Agent.uj : Error during cleaning
[408] VM_009F0000 -> Downloader.Agent.uj : Error during cleaning
[644] VM_00AF0000 -> Downloader.Agent.uj : Error during cleaning
[780] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning
[832] VM_009A0000 -> Downloader.Agent.uj : Error during cleaning
[2088] VM_003A0000 -> Downloader.Agent.uj : Error during cleaning
[2384] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning
[1540] VM_012A0000 -> Downloader.Agent.uj : Error during cleaning
[3036] VM_00B60000 -> Downloader.Agent.uj : Error during cleaning
[3964] VM_00E30000 -> Downloader.Agent.uj : Error during cleaning
[3032] VM_009A0000 -> Downloader.Agent.uj : Error during cleaning
[3408] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning
[1588] VM_01230000 -> Downloader.Agent.uj : Error during cleaning
[2804] VM_00980000 -> Downloader.Agent.uj : Error during cleaning
[876] VM_00CB0000 -> Downloader.Agent.uj : Error during cleaning
[3348] VM_00380000 -> Downloader.Agent.uj : Error during cleaning
[3748] VM_009F0000 -> Downloader.Agent.uj : Error during cleaning
[3388] VM_00870000 -> Downloader.Agent.uj : Error during cleaning
[3216] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP39\A0007318.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP39\A0007323.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP40\A0007359.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP41\A0007377.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP41\A0007386.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP41\A0007390.exe -> Trojan.Pakes : Cleaned with backup


::Report End

[rridgely]

Run ewido in safe mode. I think that might allow it to remove what it couldnt.

[stanbates]

OK, run it all in safe mode, there are still problems removing the spyware.

Norton AV keeps detecting a virus:

C:\windows\system32\howiper.exe

Ewido keeps detecting:

downloader.agent.uj but has problems removing it, even in safe mode. I have included the last few reports and the hijackthis one too.

p.s. i have disabled system restore as per norton av instruction on the website

Logfile of HijackThis v1.99.1
Scan saved at 00:39:10, on 31/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Toshiba\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0...S01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {58927658-416E-603D-CBF2-616D272328D2} - bingo9.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TOSHIBA Picture Enhancement Utility] C:\Program Files\TOSHIBA\TOSHIBA Picture Enhancement Utility\TosPEHK.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [ftbar] borlandg.exe
O4 - HKLM\..\Run: [BoundRec] panel_its.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [JAguAr] corrida.exe
O4 - HKCU\..\Run: [browsebar] ERTYDF.exe
O4 - HKCU\..\Run: [install2] NopeZ.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133290501095
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF78283-1501-4892-9F86-942C6CCE25CD}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{49956329-33B9-4BB8-8CA0-A0CD9613F2E2}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{68A5146F-1F7E-4C0D-BB17-18236F124DA3}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{69CF0FCC-1BC6-48AB-BB13-6A45185FC3C8}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6D02929-0C5A-4617-B0C0-BD25E7AF8E16}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF78283-1501-4892-9F86-942C6CCE25CD}: NameServer = 85.255.115.3,85.255.112.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AF78283-1501-4892-9F86-942C6CCE25CD}: NameServer = 85.255.115.3,85.255.112.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 16:48:19, 30/12/2005
+ Report-Checksum: 9BBAF65E

+ Scan result:

[872] VM_00D80000 -> Downloader.Agent.uj : Error during cleaning
[896] VM_00C00000 -> Downloader.Agent.uj : Error during cleaning
[1744] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning
[3016] VM_003C0000 -> Downloader.Agent.uj : Error during cleaning
[3296] VM_00A50000 -> Downloader.Agent.uj : Error during cleaning
[3608] VM_00900000 -> Downloader.Agent.uj : Error during cleaning
[3624] VM_009A0000 -> Downloader.Agent.uj : Error during cleaning
[3816] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning
[3828] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning
[3904] VM_00A40000 -> Downloader.Agent.uj : Error during cleaning
[3916] VM_009C0000 -> Downloader.Agent.uj : Error during cleaning
[3988] VM_00AA0000 -> Downloader.Agent.uj : Error during cleaning
[4048] VM_00A20000 -> Downloader.Agent.uj : Error during cleaning
[4072] VM_00870000 -> Downloader.Agent.uj : Error during cleaning
[1964] VM_00D90000 -> Downloader.Agent.uj : Error during cleaning
[408] VM_009F0000 -> Downloader.Agent.uj : Error during cleaning
[644] VM_00AF0000 -> Downloader.Agent.uj : Error during cleaning
[780] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning
[832] VM_009A0000 -> Downloader.Agent.uj : Error during cleaning
[2088] VM_003A0000 -> Downloader.Agent.uj : Error during cleaning
[2384] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning
[1540] VM_012A0000 -> Downloader.Agent.uj : Error during cleaning
[3036] VM_00B60000 -> Downloader.Agent.uj : Error during cleaning
[3964] VM_00E30000 -> Downloader.Agent.uj : Error during cleaning
[3032] VM_009A0000 -> Downloader.Agent.uj : Error during cleaning
[3408] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning
[1588] VM_01230000 -> Downloader.Agent.uj : Error during cleaning
[2804] VM_00980000 -> Downloader.Agent.uj : Error during cleaning
[876] VM_00CB0000 -> Downloader.Agent.uj : Error during cleaning
[3348] VM_00380000 -> Downloader.Agent.uj : Error during cleaning
[3748] VM_009F0000 -> Downloader.Agent.uj : Error during cleaning
[3388] VM_00870000 -> Downloader.Agent.uj : Error during cleaning
[3216] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP39\A0007318.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP39\A0007323.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP40\A0007359.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP41\A0007377.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP41\A0007386.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{9596666D-F2B6-41F5-B2B6-A5C82126D502}\RP41\A0007390.exe -> Trojan.Pakes : Cleaned with backup


::Report End

Most Recent

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 00:28:44, 31/12/2005
+ Report-Checksum: 46E23F25

+ Scan result:

[844] VM_00D80000 -> Downloader.Agent.uj : Error during cleaning
[868] VM_00C00000 -> Downloader.Agent.uj : Error during cleaning
[1592] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning
[2832] VM_003C0000 -> Downloader.Agent.uj : Error during cleaning
[2936] VM_00A50000 -> Downloader.Agent.uj : Error during cleaning
[3028] VM_00900000 -> Downloader.Agent.uj : Error during cleaning
[3068] VM_009A0000 -> Downloader.Agent.uj : Error during cleaning
[3124] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning
[3148] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning
[3268] VM_00A40000 -> Downloader.Agent.uj : Error during cleaning
[3276] VM_009C0000 -> Downloader.Agent.uj : Error during cleaning
[3392] VM_00AA0000 -> Downloader.Agent.uj : Error during cleaning
[3404] VM_00A20000 -> Downloader.Agent.uj : Error during cleaning
[3420] VM_00D90000 -> Downloader.Agent.uj : Error during cleaning
[3436] VM_009F0000 -> Downloader.Agent.uj : Error during cleaning
[3496] VM_00870000 -> Downloader.Agent.uj : Error during cleaning
[3516] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning
[3540] VM_009A0000 -> Downloader.Agent.uj : Error during cleaning
[3648] VM_003A0000 -> Downloader.Agent.uj : Error during cleaning
[3724] VM_00A30000 -> Downloader.Agent.uj : Error during cleaning
[3848] VM_012A0000 -> Downloader.Agent.uj : Error during cleaning
[384] VM_00B60000 -> Downloader.Agent.uj : Error during cleaning
[288] VM_00E30000 -> Downloader.Agent.uj : Error during cleaning
[824] VM_009A0000 -> Downloader.Agent.uj : Error during cleaning
[1568] VM_00870000 -> Downloader.Agent.uj : Error during cleaning
[1540] VM_003F0000 -> Downloader.Agent.uj : Error during cleaning
[3448] VM_01230000 -> Downloader.Agent.uj : Error during cleaning
[3464] VM_00980000 -> Downloader.Agent.uj : Error during cleaning
[3980] VM_00CB0000 -> Downloader.Agent.uj : Error during cleaning
[2712] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning


::Report End

[rridgely]

Is your copy of norton still up to date?(under license?)

[stanbates]

rridgely, on Dec 31 2005, 01:35 AM, said:

Is your copy of norton still up to date?(under license?)

It is yes. Do you have any more ideas? Im stumped and its really annoying

[rridgely]

Post a new log first and then we can try something else.

[stanbates]

rridgely, on Jan 1 2006, 07:22 PM, said:

Post a new log first and then we can try something else.

thanks for your time.

ive now run our advice in both XP safe mode and in XP Normal

ive removed the 3 month trial version of Norton AV and installed AVG (free version)

ive attached the two reports from both hijack and ewido

i noted that in safe mode ewido finds 7 items but in XP it finds between 30 - 40 in both safe and normal it refers to downloader.agent.uj and again in both it states an "error during cleaning" as per report.

Howiper still appears in the C:\windows\system32\howiper.exe and again when its picked up its quoted that its unable to repair.

Attached Files

•  hijackthis20060101.txt   12.83K   9 downloads
•  Scan_report_20060101.txt.txt   5.29K   18 downloads

[crunchie]

If I may suggest doing the following;

Download and run blacklite
F-Secure Blacklight: http://www.f-secure....light/try.shtml
leave [X]scan through windows explorer checked,
click > scan then > next,
If any items show, have blacklite rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" its a windows file.
The tool will ask if you want to reboot, (restart) choose yes.


After you have rebooted post back with blacklites log, it will be next to the program.

[stanbates]

crunchie, on Jan 2 2006, 01:33 AM, said:

If I may suggest doing the following;

Download and run blacklite
F-Secure Blacklight: http://www.f-secure....light/try.shtml
leave [X]scan through windows explorer checked,
click > scan then > next,
If any items show, have blacklite rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" its a windows file.
The tool will ask if you want to reboot, (restart) choose yes.
After you have rebooted post back with blacklites log, it will be next to the program.

as per your suggestion i renamed the three other "hidden" files

and please find the report that blbeta wrote to my desktop.

again thanks for all this help you both are clearly up on this. im finding my self in "monkey see - monkey do" territory.

p.s. following those actions and this posting Norton AV flagged up Howiper again and as before it also stated it was unable to repair, it lives on!

01/02/06 01:48:21 [Info]: BlackLight Engine 1.0.30 initialized
01/02/06 01:48:21 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/02/06 01:48:21 [Note]: 7019 4
01/02/06 01:48:21 [Note]: 7005 0
01/02/06 01:48:34 [Note]: 7006 0
01/02/06 01:48:34 [Note]: 7011 1720
01/02/06 01:48:35 [Note]: FSRAW library version 1.7.1014
01/02/06 01:48:59 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe
01/02/06 01:48:59 [Note]: 10002 1
01/02/06 01:49:02 [Info]: Hidden file: C:\WINDOWS\system32\csgbe.exe
01/02/06 01:49:02 [Note]: 7002 32
01/02/06 01:49:02 [Note]: 7003 1
01/02/06 01:49:02 [Note]: 10002 1
01/02/06 01:49:03 [Info]: Hidden file: C:\WINDOWS\system32\favset.exe
01/02/06 01:49:03 [Note]: 10002 1
01/02/06 01:49:05 [Info]: Hidden file: C:\WINDOWS\system32\howiper.exe
01/02/06 01:49:05 [Note]: 7002 5
01/02/06 01:49:05 [Note]: 7003 1
01/02/06 01:49:05 [Note]: 10002 1
01/02/06 01:52:21 [Note]: 7007 0

[crunchie]

Please delete the following files;

C:\WINDOWS\system32\csgbe.exe.ren
C:\WINDOWS\system32\favset.exe.ren
C:\WINDOWS\system32\howiper.exe.ren

Reboot your PC again and post a new hijackthis log.

[stanbates]

crunchie, on Jan 2 2006, 02:12 AM, said:

Please delete the following files;

C:\WINDOWS\system32\csgbe.exe.ren
C:\WINDOWS\system32\favset.exe.ren
C:\WINDOWS\system32\howiper.exe.ren

Reboot your PC again and post a new hijackthis log.

thanks for your prompt reply.

as per my post script, Norton AV flagged up howiper.exe again and when i searched out the three files using *.exe.ren in the system32 file it only located two (csgbe & favset) im not going to guess at whats just happened obviously its "repaired" itself in the last 15 mins but how i dont know!

i have not yet deleted those two remaining exe.ren yet as per your instruction, i thought it best to hold fire. but i can delete them by reply.

[crunchie]

I suggest running blacklite again, rename the necessary files, reboot then immediately delete the 3 files I noted. Reboot again and post a new hijackthis log.

[crunchie]

Can you also do the following;

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O4 - HKCU\..\Run: [JAguAr] corrida.exe
O4 - HKCU\..\Run: [browsebar] ERTYDF.exe
O4 - HKCU\..\Run: [install2] NopeZ.exe

Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

[stanbates]

crunchie, on Jan 2 2006, 02:32 AM, said:

Can you also do the following;

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://swandog46.gee.../Fixwareout.exe

Save it to your desktop and run it.  Click Next, then Install, then make sure "Run fixit" is checked and click Finish.  The fix will begin; follow the prompts.  You will be asked to reboot your computer; please do so.  Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.  Afterwards, HijackThis will launch.  Please click Scan, and check the following items:

O4 - HKCU\..\Run: [JAguAr] corrida.exe
O4 - HKCU\..\Run: [browsebar] ERTYDF.exe
O4 - HKCU\..\Run: [install2] NopeZ.exe

Click Fix Checked.  Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

will comply with your latest suggestions

I followed your last instruction backlight has not picked up on howiper again see below

01/02/06 02:41:11 [Info]: BlackLight Engine 1.0.30 initialized
01/02/06 02:41:11 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/02/06 02:41:11 [Note]: 7019 4
01/02/06 02:41:11 [Note]: 7005 0
01/02/06 02:41:14 [Note]: 7006 0
01/02/06 02:41:14 [Note]: 7011 1728
01/02/06 02:41:14 [Note]: FSRAW library version 1.7.1014
01/02/06 02:41:55 [Note]: 7007 0

but it still exists as an exe file in system32.

also attached my latest log as per your last suggestion. now applying your further advice.

Attached Files

•  hijackthisPostblbeta.txt   12.57K   10 downloads

[crunchie]

I will wait until you have run fixwareout before suggesting more. Please post a newer hijackthis log when done.

[stanbates]

please find the fixware report that was on my desktop when it all rebooted, hijack list following in a few mins.

Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool