IE - Home page jumps to various sites.

Comments

• Nuppi South Ostrobothnia (Finland)

  May 2006 edited May 2006

  Hi Eggman83,
  
  Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
  
  Unzip it (folder named SmitFraudFix) to your desktop:
  
  Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
  Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
  
  Post the contents of this textfile to here.
  
  (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

  0
• Eggman83

  May 2006 edited May 2006

  Hello Nuppi, Thanks for the reply. The Smitfraudfix still has the same problem like the smitred. I just can not run it for some reason. After I extracted it and double -clicked on it, a message from the prompt pops up for less then 1second. I managed to get a glimpse of what it said. It shows something like "'find' is not recognized internal or external command operable program or batch file.". I'm still not too sure where the problem is.

  0
• Nuppi South Ostrobothnia (Finland)

  May 2006 edited May 2006

  smitfraudfix is updated, so download it again, delete old smitfraudfix folder from desktop and extract smitfraudfix folder from new zip it to desktop
  
  Boot your computer in safe mode.
  
  Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
  
  Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
  
  You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
  
  The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
  
  The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
  A textfile will appear after the cleaning process, copy this file and paste it to here.
  Tha log is saved to your local diskdrive, usually C:\rapport.txt.

  0
• Eggman83

  May 2006 edited May 2006

  Hello Nuppi,
  
  Again I've downloaded the new smitfraudfix, but still no luck on running it (I guess there are lots of problems with my computer). Are there any other ways to fix this?
  
  Thanks

  0
• Nuppi South Ostrobothnia (Finland)

  May 2006 edited May 2006

  Hi Eggman83
  
  well, it is possible
  get rid off to smitfraud.
  
  Update your ewido, don't run yet.
  
  Please download Kllbox
  
  http://www.downloads.subratam.org/KillBox.zip
  Unzip it to desktop.
  Run it.
  
  Choise
  
  * Delete on Reboot
  * Click All Files option.
  
  
  # Copy and paste follow lines to clipboard:
  
  C:\WINDOWS\system32\dcomcfg.exe
  C:\WINDOWS\system32\atmclk.exe
  C:\WINDOWS\system32\winmxw32.dll
  C:\WINDOWS\system32\dvdcap.dll
  C:\WINDOWS\pop06ap2.exe
  C:\WINDOWS\system32\dcomcfg.exe
  C:\WINDOWS\system32\simpole.tlb
  C:\WINDOWS\system32\stdole3.tlb
  C:\WINDOWS\system32\dlh9jkdq?.exe
  C:\WINDOWS\system32\twain32.dll
  C:\WINDOWS\system32\hpF454.tmp
  
  # return to Killbox, go to File , and choise Paste from Clipboard.
  
  # Clicka red-white Delete File . Click Yes "Delete on Reboot"
  Click OK every question PendingFileRenameOperations asks and let me know if those exist.
  
  Your computer should restart now. If not boot yourselves.
  
  If you get message :Component 'MsComCtl.ocx' or one of its dependencies not correctly registered
  Download this and run it. Try again
  http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe
  
  Boot comp straight TO safe mode.
  
  Delete folder if exist
  C:\WINDOWS\system32\ >>>1024
  
  Launch ewido
  
  Click Scanner > options and mark scan every file
  Go back to scanner and choise "complete system scan"
  save raport
  
  Boot normally and send fresh hijack log and ewidos raport.

  0
• Eggman83

  May 2006 edited May 2006

  Logfile of HijackThis v1.99.1
  Scan saved at 10:19:54 PM, on 5/6/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
  C:\Program Files\Winamp\winampa.exe
  C:\Program Files\MSN Messenger\MsnMsgr.Exe
  C:\WINDOWS\system32\rundll32.exe
  C:\WINDOWS\System32\CTsvcCDA.exe
  C:\Program Files\ewido anti-malware\ewidoctrl.exe
  C:\Program Files\Borland\InterBase\bin\ibguard.exe
  C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
  C:\WINDOWS\System32\nvsvc32.exe
  C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Borland\InterBase\bin\ibserver.exe
  C:\WINDOWS\system32\wscntfy.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Winamp\winamp.exe
  C:\Program Files\Mozilla Firefox\firefox.exe
  C:\hijackthis\HijackThis.exe
  
  O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp34C2.tmp
  O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
  O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
  O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
  O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
  O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
  O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
  O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
  O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
  O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
  O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
  O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
  O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
  O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
  O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  

  ---

  ---

  ewido anti-malware - Scan report

  ---

  
  + Created on: 10:11:03 PM, 5/6/2006
  + Report-Checksum: 55E883B8
  
  + Scan result:
  
  HKLM\SOFTWARE\Classes\WinRes.WindowsResources -> Adware.CoolWebSearch : Cleaned with backup
  HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CLSID -> Adware.CoolWebSearch : Cleaned with backup
  HKLM\SOFTWARE\Classes\WinRes.WindowsResources\CurVer -> Adware.CoolWebSearch : Cleaned with backup
  HKLM\SOFTWARE\Classes\WinRes.WindowsResources.1 -> Adware.CoolWebSearch : Cleaned with backup
  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\SpyFalcon -> Adware.SpyFalcon : Cleaned with backup
  C:\!KillBox\winmxw32.dll -> Trojan.Agent.qt : Cleaned with backup
  C:\!KillBox\winmxw32.dll( 3) -> Trojan.Agent.qt : Cleaned with backup
  :mozilla.11:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
  :mozilla.46:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
  :mozilla.47:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
  :mozilla.48:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
  :mozilla.49:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
  :mozilla.50:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
  :mozilla.51:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup
  :mozilla.52:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
  :mozilla.53:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
  :mozilla.63:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
  :mozilla.64:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Sexcounter : Cleaned with backup
  :mozilla.66:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
  :mozilla.67:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
  :mozilla.68:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
  :mozilla.77:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
  :mozilla.78:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
  :mozilla.148:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
  :mozilla.149:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
  :mozilla.175:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup
  :mozilla.232:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
  :mozilla.240:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Paycounter : Cleaned with backup
  :mozilla.244:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
  :mozilla.245:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
  :mozilla.247:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
  :mozilla.248:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
  :mozilla.249:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
  :mozilla.250:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
  :mozilla.252:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Revenue : Cleaned with backup
  :mozilla.283:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
  :mozilla.319:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
  :mozilla.320:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
  :mozilla.321:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
  :mozilla.322:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
  :mozilla.324:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned with backup
  :mozilla.325:C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt -> TrackingCookie.Komtrack : Cleaned with backup
  C:\Documents and Settings\Harry Lin\Cookies\harry [email]lin@cnn.122.2o7[1].txt[/email] -> TrackingCookie.2o7 : Cleaned with backup
  C:\Documents and Settings\Harry Lin\Cookies\harry [email]lin@statcounter[1].txt[/email] -> TrackingCookie.Statcounter : Cleaned with backup
  C:\Documents and Settings\Harry Lin\Local Settings\Temp\!update.exe -> Downloader.PurityScan.w : Cleaned with backup
  C:\Documents and Settings\Harry Lin\Local Settings\Temp\cli688.tmp -> Trojan.Agent.qt : Cleaned with backup
  C:\Documents and Settings\Harry Lin\Local Settings\Temporary Internet Files\Content.IE5\G9EFA5WP\srvlbin5[1].exe -> Trojan.Dialer.oy : Cleaned with backup
  C:\Documents and Settings\Harry Lin\Local Settings\Temporary Internet Files\Content.IE5\O5UNMX8R\wizp32[1].exe -> Downloader.IstBar.eq : Cleaned with backup
  C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup
  C:\Program Files\Common Files\аѕsembly\attrib.exe -> Downloader.PurityScan.w : Cleaned with backup
  C:\Program Files\SpyFalcon -> Adware.SpyFalcon : Cleaned with backup
  C:\Program Files\SpyFalcon\blacklist.txt -> Adware.SpyFalcon : Cleaned with backup
  C:\Program Files\SpyFalcon\Lang -> Adware.SpyFalcon : Cleaned with backup
  C:\Program Files\SpyFalcon\Lang\English.ini -> Adware.SpyFalcon : Cleaned with backup
  C:\Program Files\SpyFalcon\Logs -> Adware.SpyFalcon : Cleaned with backup
  C:\Program Files\SpyFalcon\msvcp71.dll -> Adware.SpyFalcon : Cleaned with backup
  C:\Program Files\SpyFalcon\msvcr71.dll -> Adware.SpyFalcon : Cleaned with backup
  -> : Error during cleaning
  C:\Program Files\SpyFalcon\SpyFalcon.url -> Adware.SpyFalcon : Cleaned with backup
  C:\Program Files\SpyFalcon\syg.db -> Adware.SpyFalcon : Cleaned with backup
  C:\Program Files\SpyFalcon\uninst.exe -> Adware.SpyFalcon : Cleaned with backup
  C:\WINDOWS\Temp\win82E6.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
  C:\WINDOWS\Temp\win82EB.tmp.exe -> Downloader.IstBar.eq : Cleaned with backup
  
  
  ::Report End

  0
• Nuppi South Ostrobothnia (Finland)

  May 2006 edited May 2006

  Hi Eggman83, it looks better.
  
  
  Run hijackthis and check and and fix:
  
  O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp34C2.tmp
  
  
  Turn off your system restore:
  
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306084
  
  Please download CCleaner:
  http://www.snapfiles.com/get/ccleaner.html
  
  instructions:
  http://www.ccleaner.com/help/tour1.asp
  
  Run with CCleaner "cleaner" And "Issues" options
  
  Then boot your comp to safe mode and delete that folder.
  
  C:\Program Files\ >SpyFalcon\
  
  Run Ewido at same functions as before.
  
  Boot normally and put system restore back .
  
  Send fresh hijack log and ewidos raport.

  0
• Eggman83

  May 2006 edited May 2006

  Alright, will do so in a bit, I just also want to let you know, after restarting my computer last time after scanning with ewido, spyfalcon reappeared for some reason.

  0
• Eggman83

  May 2006 edited May 2006

  Here's the latest Hijack log.
  
  Logfile of HijackThis v1.99.1
  Scan saved at 4:48:00 AM, on 5/9/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\System32\CTsvcCDA.exe
  C:\Program Files\ewido anti-malware\ewidoctrl.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Borland\InterBase\bin\ibguard.exe
  C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
  C:\WINDOWS\System32\nvsvc32.exe
  C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Borland\InterBase\bin\ibserver.exe
  C:\WINDOWS\system32\wscntfy.exe
  C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
  C:\Program Files\Winamp\winampa.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\rundll32.exe
  C:\Program Files\MSN Messenger\msnmsgr.exe
  C:\WINDOWS\system32\dcomcfg.exe
  C:\WINDOWS\system32\conime.exe
  C:\WINDOWS\system32\wuauclt.exe
  C:\hijackthis\HijackThis.exe
  
  O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5385.tmp
  O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
  O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
  O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
  O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
  O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
  O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
  O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
  O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
  O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
  O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
  O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
  O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
  O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
  O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
  O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

  0
• Nuppi South Ostrobothnia (Finland)

  May 2006 edited May 2006

  # Print out these instructions as we will need to close every window that is open later in the fix.
  
  Download the Roguescanfix depending on your language from here:
  
  http://www.martijnc.be/tools/roguescanfix.exe
  
  # Download FixSQ.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser.
  
  http://www.bleepingcomputer.com/files/reg/FixSQ.reg
  
  
  # Confirm that the file Roguescanfix.exe now resides on your desktop.
  
  # Double-click on the roguescanfix.exe file found on your desktop and then press the Install button. The file will create a folder on your desktop called roguescanfix.
  
  # Double-click on the roguescanfix folder and then double-click on Run.bat. Please note that when the Run.bat starts it will download a program from the Internet that it needs to use during the cleanup. If your firewall gives an alert about this, please allow the download.exe or run.bat program to access the Internet.
  
  When you start the Run.bat program your desktop will disappear which is normal so you do not need to be concerned. It will then start the SpywareQuake uninstallation program. When that program starts, click on the Uninstall button. When it has finished uninstalling, you can then press the OK button to finish the uninstalling of SpywareQuake.
  
  When this program is finished, and it was able to delete all the files, you will see a small prompt that says Completed script execution. Simply press the OK button. It will then open the Brute Force Uninstaller program. You can simply press the Exit button and continue to Step 5.
  
  If there were more files that needed to be deleted, the program will prompt you to reboot your computer.
  
  Run FixSQ.reg.
  
  Scan your comp by Pandas online scanner, use Internet explorer.
  http://www.pandasoftware.com/products/activescan.htm
  
  Save Pandas report.
  
  Boot comp, and send fresh hijack log and Pandas repor
  
  t

  0
• Eggman83

  May 2006 edited May 2006

  Logfile of HijackThis v1.99.1
  Scan saved at 6:13:45 AM, on 5/9/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
  C:\WINDOWS\system32\rundll32.exe
  C:\WINDOWS\System32\CTsvcCDA.exe
  C:\Program Files\ewido anti-malware\ewidoctrl.exe
  C:\Program Files\Borland\InterBase\bin\ibguard.exe
  C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
  C:\WINDOWS\System32\nvsvc32.exe
  C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Borland\InterBase\bin\ibserver.exe
  C:\WINDOWS\system32\wscntfy.exe
  C:\WINDOWS\system32\conime.exe
  C:\WINDOWS\explorer.exe
  C:\Program Files\MSN Messenger\msnmsgr.exe
  C:\Program Files\Mozilla Firefox\firefox.exe
  C:\hijackthis\HijackThis.exe
  
  O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll (file missing)
  O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5385.tmp
  O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
  O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
  O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
  O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
  O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
  O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
  O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
  O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
  O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
  O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
  O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
  O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
  O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  
  

  ---

  Incident Status Location
  
  Adware:Adware/SecurityError Not disinfected C:\!KillBox\atmclk.exe
  Adware:Adware/SecurityError Not disinfected C:\!KillBox\atmclk.exe( 4)
  Adware:Adware/SecurityError Not disinfected C:\!KillBox\dcomcfg.exe
  Adware:Adware/SecurityError Not disinfected C:\!KillBox\dcomcfg.exe( 5)
  Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[ad.yieldmanager.com/]
  Adware:adware/securityerror

  0
• Nuppi South Ostrobothnia (Finland)

  May 2006 edited May 2006

  Fine it works and look now better.
  
  Run Killbox.
  
  Choise
  
  * Delete on Reboot
  * Click All Files option.
  
  
  # Copy and paste follow lines to clipboard:
  
  C:\WINDOWS\system32\dcomcfg.exe
  C:\WINDOWS\system32\atmclk.exe
  C:\WINDOWS\system32\winmxw32.dll
  C:\WINDOWS\system32\dvdcap.dll
  C:\WINDOWS\system32\hp5385.tmp
  C:\WINDOWS\system32\regperf.exe
  
  # return to Killbox, go to File , and choise Paste from Clipboard.
  
  # Clicka red-white Delete File . Click Yes "Delete on Reboot"
  Click OK every question PendingFileRenameOperations asks and let me know if those exist.
  
  Your computer should restart now. If not boot yourselves.
  
  Run Pandas online scan again.
  
  Send Pandas report and fresh hijackthis log

  0
• Eggman83

  May 2006 edited May 2006

  Here's my latest log Nuppi, I think the guarduptodate has been eliminated. I wish I could come over and treat you a dinner I would like to know which Anti Virus Protection would you recommend to use? I really don't have any at the moment. I usually use Moziila most of the time, so I have really no idead which one to go for.
  
  Thnak you very much!
  
  Logfile of HijackThis v1.99.1
  Scan saved at 12:15:42 PM, on 5/9/2006
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\WINDOWS\System32\CTsvcCDA.exe
  C:\Program Files\ewido anti-malware\ewidoctrl.exe
  C:\Program Files\Borland\InterBase\bin\ibguard.exe
  C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
  C:\WINDOWS\System32\nvsvc32.exe
  C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Borland\InterBase\bin\ibserver.exe
  C:\WINDOWS\system32\wscntfy.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
  C:\WINDOWS\system32\rundll32.exe
  C:\Program Files\MSN Messenger\MsnMsgr.Exe
  C:\Program Files\Mozilla Firefox\firefox.exe
  C:\hijackthis\HijackThis.exe
  
  O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll (file missing)
  O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5385.tmp (file missing)
  O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
  O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
  O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
  O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
  O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
  O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
  O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
  O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
  O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
  O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
  O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
  O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
  O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
  O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
  O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
  O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
  O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
  O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
  
  
  
  Incident Status Location
  
  Adware:Adware/SecurityError Not disinfected C:\!KillBox\atmclk.exe
  Adware:Adware/SecurityError Not disinfected C:\!KillBox\atmclk.exe( 4)
  Adware:Adware/SecurityError Not disinfected C:\!KillBox\dcomcfg.exe
  Adware:Adware/SecurityError Not disinfected C:\!KillBox\dcomcfg.exe( 5)
  
  Spyware:Cookie/Falkag Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[as1.falkag.de/]
  
  Spyware:Cookie/Adtech Not disinfected
  C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[.adtech.de/]
  
  Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[.zedo.com/]
  
  Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Harry Lin\Application Data\Mozilla\Firefox\Profiles\uz0ict56.default\cookies.txt[.ads.pointroll.com/]

  0
• Nuppi South Ostrobothnia (Finland)

  May 2006 edited May 2006

  To ensure that, plaese do those.
  
  Scan hijack and check those:
  
  O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll (file missing)
  O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hp5385.tmp (file missing)
  O20 - Winlogon Notify: winmxw32 - winmxw32.dll (file missing)
  
  Close all windióws exept hijac and click Fix Checked
  
  Run Killbox.
  
  Choise
  
  * Delete on Reboot
  * Click All Files option.
  
  
  # Copy and paste follow lines to clipboard:
  
  C:\WINDOWS\system32\dcomcfg.exe
  C:\WINDOWS\system32\atmclk.exe
  C:\WINDOWS\system32\winmxw32.dll
  C:\WINDOWS\system32\dvdcap.dll
  C:\WINDOWS\system32\hp5385.tmp
  C:\WINDOWS\system32\regperf.exe
  C:\WINDOWS\system32\winapi32.dll
  C:\WINDOWS\system32\reglogs.dll
  
  # return to Killbox, go to File , and choise Paste from Clipboard.
  
  # Clicka red-white Delete File . Click Yes "Delete on Reboot"
  Click OK every question PendingFileRenameOperations asks and let me know if those exist.
  
  Your computer should restart now. If not boot yourselves.
  
  boot directly in SAfe mode and rescan with Ewido "every file" complete system scan. Save report.
  
  Run Pandas online scan again.
  
  Send Pandas report and fresh hijackthis log and Ewidos report.
  
  Free good antivirus :
  
  AVG (I use it)
  AVAST
  ANTIVIR
  
  Download FIREWALL too.
  
  Zone Alarm
  Kerio
  Outpost

  0