Options

Plz Help... i have HJT and Panda reports.

I really need some help, its really making me mad.

Here the HJT:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:12 AM, on 6/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dcomcfg.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunes.exe
C:\DOCUME~1\Nate\LOCALS~1\Temp\Rar$EX00.391\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\System32\hp5E7B.tmp
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [P2kAutostart] V329
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe









And heres the Panda:


Incident Status Location

Adware:Adware/SecurityError Not disinfected C:\WINDOWS\System32\dcomcfg.exe
Adware:adware/xpasswordmanager Not disinfected c:\windows\system32\regperf.exe
Adware:adware/securityerror Not disinfected C:\Documents and Settings\Nate\Favorites\Antivirus Test Online.url
Adware:adware/spyfalcon Not disinfected Windows Registry
Adware:adware/securitytoolbar Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nate\Cookies\nate@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Nate\Cookies\nate@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nate\Cookies\nate@ad.yieldmanager[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Nate\Cookies\nate@adopt.hbmediapro[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nate\Cookies\nate@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Nate\Cookies\nate@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Nate\Cookies\nate@ads.pointroll[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Nate\Cookies\nate@adtech[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Nate\Cookies\nate@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Nate\Cookies\nate@advertising[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Nate\Cookies\nate@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Nate\Cookies\nate@as-us.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Nate\Cookies\nate@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Nate\Cookies\nate@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Nate\Cookies\nate@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nate\Cookies\nate@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Nate\Cookies\nate@bluestreak[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Nate\Cookies\nate@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Nate\Cookies\nate@burstnet[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Nate\Cookies\nate@casalemedia[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Nate\Cookies\nate@ccbill[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Nate\Cookies\nate@cgi-bin[3].txt
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Nate\Cookies\nate@clickbank[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Nate\Cookies\nate@com[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Nate\Cookies\nate@counter8.sextracker[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Nate\Cookies\nate@counter9.sextracker[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Nate\Cookies\nate@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Nate\Cookies\nate@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Nate\Cookies\nate@doubleclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Nate\Cookies\nate@ehg-sonycomputer.hitbox[2].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Nate\Cookies\nate@entrepreneur[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Nate\Cookies\nate@fastclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Nate\Cookies\nate@go[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Nate\Cookies\nate@hitbox[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Nate\Cookies\nate@i.screensavers[1].txt
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Nate\Cookies\nate@landing.domainsponsor[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Nate\Cookies\nate@maxserving[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Nate\Cookies\nate@media.fastclick[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Nate\Cookies\nate@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nate\Cookies\nate@overture[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Nate\Cookies\nate@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Nate\Cookies\nate@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Nate\Cookies\nate@realmedia[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Nate\Cookies\nate@revenue[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Nate\Cookies\nate@searchportal.information[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Nate\Cookies\nate@server.iad.liveperson[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Nate\Cookies\nate@serving-sys[1].txt
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Nate\Cookies\nate@sextracker[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nate\Cookies\nate@statcounter[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Nate\Cookies\nate@statse.webtrendslive[1].txt
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Nate\Cookies\nate@targetnet[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Nate\Cookies\nate@toplist[1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Nate\Cookies\nate@tradedoubler[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Nate\Cookies\nate@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nate\Cookies\nate@tribalfusion[2].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Nate\Cookies\nate@valueclick[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Nate\Cookies\nate@www.myaffiliateprogram[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Nate\Cookies\nate@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Nate\Cookies\nate@zedo[1].txt
Potentially unwanted tool:Application/1stAntiVirus Not disinfected C:\Documents and Settings\Nate\Desktop\downloads\Install_1stAntiVirus.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nate\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Nate\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]





Thanks guys@

Comments

  • edited June 2006
    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
  • edited June 2006
    Ight heres this

    SmitFraudFix v2.46

    Scan done at 17:47:36.20, Sat 06/24/2006
    Run from C:\Documents and Settings\Nate\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\dcomcfg.exe FOUND !
    C:\WINDOWS\system32\hp????.tmp FOUND !
    C:\WINDOWS\system32\regperf.exe FOUND !
    C:\WINDOWS\system32\simpole.tlb FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nate\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nate\FAVORI~1

    C:\DOCUME~1\Nate\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

    [HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\System32\twain32.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\System32\twain32.dll"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{64ba30a2-811a-4597-b0af-d551128be340}"="AppManager"

    [HKEY_CLASSES_ROOT\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
    @="C:\WINDOWS\System32\appmagr.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
    @="C:\WINDOWS\System32\appmagr.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
  • edited June 2006
    You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!

    Please download, install, and update the free version of Ewido Anti-Malware:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes, the status bar at the bottom will display "Update successful"
    5. Exit Ewido. DO NOT run a scan yet.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    AFTER SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)
    • Click on Scanner
    • Click on Complete System Scan and the scan will begin.
    • If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    • Close Ewido

    Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.

    Warning : running option #2 on a non infected computer will remove your Desktop background.
  • edited June 2006
    thanks man...... heres what ya asked for:

    SmitFraudFix v2.46

    Scan done at 15:14:25.78, Wed 06/28/2006
    Run from C:\Documents and Settings\Nate\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]
    Fix ran in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

    [HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\System32\twain32.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\System32\twain32.dll"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{64ba30a2-811a-4597-b0af-d551128be340}"="AppManager"

    [HKEY_CLASSES_ROOT\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
    @="C:\WINDOWS\System32\appmagr.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
    @="C:\WINDOWS\System32\appmagr.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\system32\dcomcfg.exe Deleted
    C:\WINDOWS\system32\hp????.tmp Deleted
    C:\WINDOWS\system32\regperf.exe Deleted
    C:\WINDOWS\system32\simpole.tlb Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\DOCUME~1\Nate\FAVORI~1\Antivirus Test Online.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri

    C:\WINDOWS\System32\twain32.dll -> Missing File

    C:\WINDOWS\System32\appmagr.dll -> Missing File


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

    [HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\System32\twain32.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\System32\twain32.dll"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{64ba30a2-811a-4597-b0af-d551128be340}"="AppManager"

    [HKEY_CLASSES_ROOT\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
    @="C:\WINDOWS\System32\appmagr.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{64ba30a2-811a-4597-b0af-d551128be340}\InProcServer32]
    @="C:\WINDOWS\System32\appmagr.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» End



    _________________________________________________________


    ewido anti-malware - Scan report

    + Created on: 4:03:13 PM, 6/28/2006
    + Report-Checksum: 697F48EC

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{f79fd28e-36ee-4989-aa61-9dd8e30a82fa} -> Trojan.Small : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{f79fd28e-36ee-4989-aa61-9dd8e30a82fa} -> Trojan.Small : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f79fd28e-36ee-4989-aa61-9dd8e30a82fa} -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-2052111302-527237240-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{64ba30a2-811a-4597-b0af-d551128be340} -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-2052111302-527237240-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E} -> Adware.SpywareQuake : Cleaned with backup
    HKU\S-1-5-21-2052111302-527237240-839522115-1003\Software\Classes\CLSID\{64ba30a2-811a-4597-b0af-d551128be340} -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-2052111302-527237240-839522115-1003\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E} -> Adware.SpywareQuake : Cleaned with backup
    HKU\S-1-5-21-2052111302-527237240-839522115-1003_Classes\CLSID\{64ba30a2-811a-4597-b0af-d551128be340} -> Trojan.Small : Cleaned with backup
    HKU\S-1-5-21-2052111302-527237240-839522115-1003_Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E} -> Adware.SpywareQuake : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@a.tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ads18.bpath[1].txt -> TrackingCookie.Bpath : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@com[1].txt -> TrackingCookie.Com : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@counter8.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@counter9.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@cz8.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@e-2dj6wgmisldpskp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@e-2dj6whkoakczgeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@e-2dj6wjliejajiep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@e-2dj6wjmycnc5slp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@e-2dj6wjny-1jdpkk.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-bestbuy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-boltmedia.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-dig.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-ifilm.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-ioffer.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-newegg.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-sonycomputer.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-theviptour.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-tigerdirect2.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@ehg-triseptsoultions.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@entrepreneur.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@popuptraffic[1].txt -> TrackingCookie.Popuptraffic : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@snagajob.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@sonycorporate.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@stat.onestat[2].txt -> TrackingCookie.Onestat : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@valueclick[2].txt -> TrackingCookie.Valueclick : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@web4.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@webstat[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@www.adtrak[2].txt -> TrackingCookie.Adtrak : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
    C:\Documents and Settings\Nate\Cookies\nate@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
    C:\Documents and Settings\Nate\Desktop\hijackthis.zip/backups/backup-20060522-163609-547.dll -> Downloader.Zlob : Error during cleaning
    C:\Documents and Settings\Nate\Desktop\hijackthis.zip/backups/backup-20060522-182103-526.dll -> Downloader.Zlob : Error during cleaning
    C:\Documents and Settings\Nate\Local Settings\Temp\Rar$EX00.391\backups\backup-20060522-163609-547.dll -> Downloader.Zlob : Cleaned with backup
    C:\Documents and Settings\Nate\Local Settings\Temp\Rar$EX00.391\backups\backup-20060522-182103-526.dll -> Downloader.Zlob : Cleaned with backup


    ::Report End



    ______________________________________________________________



    Logfile of HijackThis v1.99.1
    Scan saved at 4:05:38 PM, on 6/28/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ICQLite\ICQLite.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
    C:\Program Files\MySpace\IM\MySpaceIM.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Nate\LOCALS~1\Temp\Rar$EX00.984\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [P2kAutostart] V329
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • edited June 2006
    • Download HijackThis again, but don’t hit “Open”, but “Save as”. Then navigate to your desktop, and hit “Save”. After downloading, minimize all windows until you’re on your desktop.
    • Now double-click on the zip file containing the HijackThis.exe file. Select the HijackThis.exe, and hit the combination “Ctrl + C”.
    • Minimize the zipfolder, and go to My Computer. Double-click on C:/, then double-click on Program Files.
    • In the menu bar you’ll find “File”. Click it, then choose “New”, and then “Folder”.
    • Call this folder HijackThis. Double-click to open this – new – folder.
    • Now use the combination “Ctrl + V” to paste the HijackThis.exe into this folder. Now close all other windows, and double-click on the HijackThis.exe in the folder you’ve just created.

    You will now get HijackThis in a permanent folder.


    Next please place a checkmark by the following entry:
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    Close all windows other than HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.

    Upon reboot, delete the following folder:
    C:\Program Files\winupdates



    Rescan with HijackThis and post the new log in your next reply.
  • edited June 2006
    So uhh winupdate folder was not in C:/program files...... i dno if thats a good or bad thing. any hoo here is the HijackThis rapport.


    Logfile of HijackThis v1.99.1
    Scan saved at 2:47:25 PM, on 6/29/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ICQLite\ICQLite.exe
    C:\WINDOWS\System32\RunDll32.exe
    C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
    C:\Program Files\MySpace\IM\MySpaceIM.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\iTunes\iTunes.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
    R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
    O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [P2kAutostart] V329
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [EPSON Stylus C80 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C80 Series" /O5 "LPT1:" /M "Stylus C80"
    O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
    O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
    O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt4_x.cab
    O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
    O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




    thanks in advance
  • edited June 2006
    Your HijackThis log appears clean. However since HijackThis does not scan the entire system, could you please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
    Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
    • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
    • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
    • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
    • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
    • Under "Please select a target to scan:", click My Computer to start the scan.
    When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.
Sign In or Register to comment.