HELP!!! ISearchTech

Unknown
edited February 2005 in Spyware & Virus Removal
I'm trying so hard to get rid of the above but alas.. it's just not happening! There still seems to be entries of Powerscan and Sidefind all over the place and Spybot and Adaware won't shift them. Here is my log.. please can someone help me out? I'm going insane! Can you also let me know if there's any other rubbish that needs deleting. Thanks in advance :)

Logfile of HijackThis v1.98.2
Scan saved at 19:59:53, on 21/02/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\ActivBoard\nhksrv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Platinum Internet Security\apvxdwin.exe
C:\WINDOWS\System32\asr_fnt.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
C:\WINDOWS\System32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Gem\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pnybr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pnybr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pnybr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ABRECEIVER] "C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [nvsv32.exe] asr_fnt.exe
O4 - HKLM\..\RunServices: [nvsv32.exe] asr_fnt.exe
O4 - HKLM\..\RunOnce: [nvsv32.exe] asr_fnt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NvCplScan] nvsc32.exe
O4 - HKCU\..\Run: [nvsv32.exe] asr_fnt.exe
O4 - HKCU\..\RunOnce: [nvsv32.exe] asr_fnt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/bin/imvid.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab

Comments

  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    You are using an outdated version of Hijackthis. Please download the current version and post a new hijackthis log.

    http://www.short-media.com/download.php?d=245
  • the_wise_llama
    edited February 2005
    Sorry about that! Here is my new log :) Thanks again!!

    Logfile of HijackThis v1.99.1
    Scan saved at 20:53:42, on 22/02/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\apvxdwin.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
    C:\Documents and Settings\Gem\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pnybr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pnybr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pnybr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [ABRECEIVER] "C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted IP range: 206.161.125.149
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/bin/imvid.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
    O23 - Service: Panda Antispam Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
    O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
    O23 - Service: Panda Imanager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\d3by32.exe (file missing)
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Download(right click and select Save file as or Save link as): DelDomains.inf
    http://mvps.org/winhelp2002/DelDomains.inf

    Close all open browsers
    Right-click DelDomains.inf and select: Install



    Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\pnybr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\pnybr.dll/sp.html#28129
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\pnybr.dll/sp.html#28129
    O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\d3by32.exe (file missing)



    Delete these files, if present.

    C:\WINDOWS\d3by32.exe
    C:\WINDOWS\system32\pnybr.dll



    Reboot and post a new hijackthis log.
  • the_wise_llama
    edited February 2005
    Here is my new log....

    Logfile of HijackThis v1.99.1
    Scan saved at 21:25:07, on 23/02/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\Gem\Desktop\HijackThis.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\PAVJOBS.EXE
    C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [ABRECEIVER] "C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/bin/imvid.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
    O23 - Service: Panda Antispam Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
    O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
    O23 - Service: Panda Imanager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    O23 - Service: Workstation NetLogon Service (%AF夶À¨) - Unknown owner - C:\WINDOWS\d3by32.exe (file missing)

    Thanks :)
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Copy the contents of the Quote Box below to Notepad.

    Edit out any spaces that show up such as Curr entVersion, should be CurrentVersion.

    Name the file as fix.reg
    Change the Save as Type to All Files
    Save this file on the desktop
    REGEDIT4

    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_%AF夶À¨]
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%AF夶À¨]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_%AF夶À¨]
    [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%AF夶À¨]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

    Then double-click on the fix.reg file, and when it prompts to merge say yes.


    Reboot and post a new hijackthis log.
  • the_wise_llama
    edited February 2005
    I did as you asked, here's my new log :)

    Logfile of HijackThis v1.99.1
    Scan saved at 16:08:29, on 24/02/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Apps\ActivBoard\nhksrv.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\WINDOWS\runservice.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
    C:\Documents and Settings\Gem\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [cFosInst_Check] "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [ABRECEIVER] "C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
    O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
    O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class) - http://companion.logitech.com/companion/bin/imvid.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw12fd.law12.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
    O23 - Service: Panda Antispam Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
    O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\Firewall\PavFires.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
    O23 - Service: Panda Imanager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Have hijackthis fix these two lines.

    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)


    Aside from that, your log looks clean to me.

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

      You can find instructions on how to enable and reenable system restore here:

      Managing Windows Millenium System Restore

      or

      Windows XP System Restore Guide

      Renable system restore with instructions from tutorial above

    2. Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        1. Change the Download signed ActiveX controls to Prompt
        2. Change the Download unsigned ActiveX controls to Disable
        3. Change the Initialize and script ActiveX controls not marked as safe to Disable
        4. Change the Installation of desktop items to Prompt
        5. Change the Launching programs and files in an IFRAME to Prompt
        6. Change the Navigate sub-frames across different domains to Prompt
        7. When all these settings have been made, click on the OK button.
        8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.

    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and Removal Resources

    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls

    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

    8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

    9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer from Spyware and Malware

    10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.
  • the_wise_llama
    edited February 2005
    I've done everything that you asked but Spybot is still picking up ISearchTech.SideFind. I try fix it and it says cannot be fixed as is in memory and asks me if I want to run Spybot on start up, I say yes and reboot.. Spybot searches but still doesn't get rid of it! Is there anyway to go in and manually remove this?
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    Please post the log from Spybot and we'll see where it's at.
  • the_wise_llama
    edited February 2005
    Here it is.. hope that I did it right? I've never saved a SB log before :rolleyes:


    --- Search result list ---
    ISearchTech.SideFind: Settings (Registry key, nothing done)
    HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}

    ISearchTech.SideFind: Settings (Registry key, nothing done)
    HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}


    --- Spybot - Search & Destroy version: 1.3 .1TX (build: 20040801) ---

    2004-05-12 blindman.exe (1.0.0.0)
    2004-08-30 SpybotSD.exe (1.3.0.12)
    2004-05-12 TeaTimer.exe (1.3.0.12)
    2004-06-15 unins000.exe (51.15.0.0)
    2004-05-12 Update.exe (1.3.0.0)
    2004-10-04 advcheck.dll (1.0.1.0)
    2004-05-12 borlndmm.dll (7.0.4.453)
    2004-05-12 delphimm.dll (7.0.4.453)
    2004-05-12 SDHelper.dll (1.3.0.12)
    2004-05-12 Tools.dll (2.0.0.0)
    2004-05-12 UnzDll.dll (1.73.1.1)
    2004-05-12 ZipDll.dll (1.73.2.0)
    2004-11-29 Includes\Cookies.sbi
    2005-02-16 Includes\Dialer.sbi
    2005-02-16 Includes\Hijackers.sbi
    2005-01-11 Includes\Keyloggers.sbi
    2004-05-12 Includes\LSP.sbi
    2005-02-16 Includes\Malware.sbi
    2004-11-29 Includes\Revision.sbi
    2005-02-09 Includes\Security.sbi
    2005-02-16 Includes\Spybots.sbi
    2005-02-16 Includes\Tracks.uti
    2005-02-16 Includes\Trojans.sbi



    --- System information ---
    Windows XP (Build: 2600) Service Pack 2
    / DataAccess: Microsoft Data Access Components KB870669
    / Internet Explorer 6 / SP1: Windows XP Hotfix - KB834707
    / MSXML4: Patch Available For XMLHTTP Vulnerability
    / Windows Media Player: Windows Media Update 819639
    / Windows XP / SP2: Windows XP Service Pack 2
    / Windows XP / SP3: Windows XP Hotfix - KB867282
    / Windows XP / SP3: Windows XP Hotfix - KB873333
    / Windows XP / SP3: Windows XP Hotfix - KB873339
    / Windows XP / SP3: Windows XP Hotfix - KB885250
    / Windows XP / SP3: Windows XP Hotfix - KB885835
    / Windows XP / SP3: Windows XP Hotfix - KB885836
    / Windows XP / SP3: Windows XP Hotfix - KB885884
    / Windows XP / SP3: Windows XP Hotfix - KB886185
    / Windows XP / SP3: Windows XP Hotfix - KB887472
    / Windows XP / SP3: Windows XP Hotfix - KB887742
    / Windows XP / SP3: Windows XP Hotfix - KB888113
    / Windows XP / SP3: Windows XP Hotfix - KB888302
    / Windows XP / SP3: Windows XP Hotfix - KB890047
    / Windows XP / SP3: Windows XP Hotfix - KB890175
    / Windows XP / SP3: Windows XP Hotfix - KB891781


    --- Startup entries list ---
    Located: HK_LM:Run, ABRECEIVER
    command: "C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe"
    file: C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe
    size: 81920
    MD5: c40cde569a7e14e6c11cee218760814a

    Located: HK_LM:Run, APVXDWIN
    command: "C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE" /s
    file: C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE
    size: 299520
    MD5: 9fa5d7f2967ff47bc27fa1ca2347f84b

    Located: HK_LM:Run, cFosInst_Check
    command: "C:\WINDOWS\cFosOEM\cfosinst.exe" -install -inplace -checkisdn
    file: C:\WINDOWS\cFosOEM\cfosinst.exe
    size: 348215
    MD5: 95f9514b3bbbec5388473c34ed497900

    Located: HK_LM:Run, EM_EXEC
    command: C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    file: C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    size: 35328
    MD5: 171dde309efb4ce234abb65516672598

    Located: HK_LM:Run, EPSON Stylus Photo R200 Series
    command: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
    file: C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
    size: 99840
    MD5: 9830a1ca5424c22a40950efb9acc0e14

    Located: HK_LM:Run, Motive SmartBridge
    command: C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    file: C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    size: 380928
    MD5: 5b6f6348d4043de3dc42b497623303ff

    Located: HK_LM:Run, REGSHAVE
    command: C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

    Located: HK_LM:Run, SCANINICIO
    command: "C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe"
    file: C:\Program Files\Panda Software\Panda Platinum Internet Security\Inicio.exe
    size: 24576
    MD5: 490edb6a388701c9e45836801d79152f

    Located: HK_LM:Run, SunJavaUpdateSched
    command: C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    file: C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    size: 36972
    MD5: ffc7a8aa516b0d2a27dadf146eb538cc

    Located: HK_CU:Run, msnmsgr
    command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    file: C:\Program Files\MSN Messenger\msnmsgr.exe
    size: 6213632
    MD5: 2f60f16066bce72ea4a9a18035065d60

    Located: WinLogon, crypt32chain
    command: crypt32.dll

    Located: WinLogon, cryptnet
    command: cryptnet.dll

    Located: WinLogon, cscdll
    command: cscdll.dll

    Located: WinLogon, MCPClient
    command: C:\Program Files\Common Files\Stardock\mcpstub.dll
    file: C:\Program Files\Common Files\Stardock\mcpstub.dll
    size: 139264
    MD5: 48fcae7eb398aa8b17d6b5092397facf

    Located: WinLogon, ScCertProp
    command: wlnotify.dll

    Located: WinLogon, Schedule
    command: wlnotify.dll

    Located: WinLogon, sclgntfy
    command: sclgntfy.dll

    Located: WinLogon, SensLogn
    command: WlNotify.dll

    Located: WinLogon, termsrv
    command: wlnotify.dll

    Located: WinLogon, WB
    command: C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
    file: C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
    size: 24576
    MD5: 9f884c45f10aaee442d4370ba90a1f89

    Located: WinLogon, wlballoon
    command: wlnotify.dll



    --- Browser helper object list ---


    --- ActiveX list ---
    ppctlcab (ppctlcab)
    DPF name: ppctlcab
    CLSID name:

    {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class)
    DPF name:
    CLSID name: Checkers Class
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: msgrchkr.dll
    Short name:
    Date (created): 29/05/2003 14:00:18
    Date (last access): 25/02/2005 22:50:32
    Date (last write): 29/05/2003 14:00:18
    Filesize: 77408
    Attributes: archive
    MD5: 42D567DF86B9B7AC4A89664C9651B68B
    CRC32: 47FF3D19
    Version: 0.7.0.1

    {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen)
    DPF name:
    CLSID name: PPSDKActiveXScanner.MainScreen
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: PPSDKActiveXScanner.ocx
    Short name: PPSDKA~1.OCX
    Date (created): 17/03/2004 02:41:36
    Date (last access): 29/11/2004 22:44:48
    Date (last write): 17/03/2004 02:41:36
    Filesize: 170608
    Attributes: archive
    MD5: 6EA60ECEBA1D024CE2106C7D9DB78AB1
    CRC32: 26FCC8AB
    Version: 0.1.0.5

    {33363249-0000-0010-8000-00AA00389B71} ()
    DPF name:
    CLSID name:

    {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class)
    DPF name:
    CLSID name: Symantec RuFSI Utility Class
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: rufsi.dll
    Short name:
    Date (created): 26/10/2004 18:14:18
    Date (last access): 25/02/2005 22:50:32
    Date (last write): 26/10/2004 18:14:18
    Filesize: 160928
    Attributes: archive
    MD5: 7FC8A8D89A80ED7443F00C31AEDAC9A9
    CRC32: 3EC34C3D
    Version: 7.212.0.6

    {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class)
    DPF name:
    CLSID name: MessengerStatsClient Class
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: messengerstatsclient.dll
    Short name: MESSEN~1.DLL
    Date (created): 29/05/2003 14:00:20
    Date (last access): 25/02/2005 22:50:32
    Date (last write): 29/05/2003 14:00:20
    Filesize: 160864
    Attributes: archive
    MD5: B069B555A00AA026F657AA4FD13AE154
    CRC32: 89BB01E1
    Version: 0.7.0.1

    {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object)
    DPF name:
    CLSID name: SassCln Object
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: SassCln.dll
    Short name:
    Date (created): 03/05/2004 14:39:54
    Date (last access): 25/02/2005 22:50:34
    Date (last write): 03/05/2004 14:39:54
    Filesize: 118784
    Attributes: archive
    MD5: A1C8571FA4B64CFC5C0CDA672F3C2D21
    CRC32: 06EBA55B
    Version: 0.1.0.0

    {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
    DPF name: Java Runtime Environment 1.5.0
    CLSID name: Java Plug-in 1.5.0
    Path: C:\Program Files\Java\jre1.5.0\bin\
    Long name: NPJPI150.dll
    Short name:
    Date (created): 18/12/2004 16:23:00
    Date (last access): 19/02/2005 15:46:38
    Date (last write): 18/12/2004 16:23:00
    Filesize: 69740
    Attributes: archive
    MD5: D25BB4762A876A3DBF6F2BAA36A179FA
    CRC32: 9367234B
    Version: 0.1.0.5

    {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class)
    DPF name:
    CLSID name: iTunesDetector Class
    Path: C:\Program Files\iTunes\
    Long name: ITDetector.ocx
    Short name: ITDETE~1.OCX
    Date (created): 08/03/2004 14:07:14
    Date (last access): 19/02/2005 15:46:42
    Date (last write): 08/03/2004 14:07:14
    Filesize: 49152
    Attributes: archive
    MD5: C45D0B763A601B1EEF0573F99F1DD732
    CRC32: 09E2233A
    Version: 0.2.0.0

    {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} (IMViewerControl Class)
    DPF name:
    CLSID name: IMViewerControl Class
    Path: C:\WINDOWS\System32\
    Long name: CIMVIEW.dll
    Short name:
    Date (created): 03/10/2002 17:15:46
    Date (last access): 19/02/2005 12:30:40
    Date (last write): 03/10/2002 17:15:46
    Filesize: 233472
    Attributes: archive
    MD5: 4E2984C9B83B352EBA3D023F0A8C499A
    CRC32: A94711C6
    Version: 0.1.0.2

    {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control)
    DPF name:
    CLSID name: Hotmail Attachments Control
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: HMAtchmt.ocx
    Short name:
    Date (created): 07/12/2002 03:21:34
    Date (last access): 26/12/2004 23:25:54
    Date (last write): 07/12/2002 03:21:42
    Filesize: 113008
    Attributes: archive
    MD5: AB8B49B64BF5A3F9B36978E33A37A5EF
    CRC32: EC5ACC60
    Version: 0.1.0.5

    {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class)
    DPF name:
    CLSID name: Solitaire Showdown Class
    Path: C:\WINDOWS\Downloaded Program Files\
    Long name: solitaireshowdown.dll
    Short name: SOLITA~1.DLL
    Date (created): 29/05/2003 15:00:20
    Date (last access): 25/02/2005 22:50:34
    Date (last write): 29/05/2003 15:00:20
    Filesize: 86112
    Attributes: archive
    MD5: 6E0E81210B17C225AD8DBB86F0C41E32
    CRC32: 1C944476
    Version: 0.7.0.1



    --- Process list ---

    PID: 0 ( 0) [System]
    PID: 4 ( 0) System
    PID: 276 ( 736) C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    PID: 360 ( 736) alg.exe
    PID: 420 ( 4) \SystemRoot\System32\smss.exe
    PID: 456 ( 736) C:\Program Files\Panda Software\Panda Platinum Internet Security\pavsrv51.exe
    PID: 476 ( 736) C:\Program Files\Panda Software\Panda Platinum Internet Security\psimsvc.exe
    PID: 640 ( 456) C:\Program Files\Panda Software\Panda Platinum Internet Security\AVENGINE.EXE
    PID: 644 ( 736) C:\WINDOWS\System32\svchost.exe
    PID: 668 ( 420) csrss.exe
    PID: 692 ( 420) \??\C:\WINDOWS\SYSTEM32\winlogon.exe
    PID: 736 ( 692) C:\WINDOWS\system32\services.exe
    PID: 748 ( 692) C:\WINDOWS\system32\lsass.exe
    PID: 804 (2292) C:\WINDOWS\SYSTEM32\cidaemon.exe
    PID: 816 ( 736) wdfmgr.exe
    PID: 908 ( 736) C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
    PID: 928 ( 736) C:\WINDOWS\system32\svchost.exe
    PID: 976 ( 736) svchost.exe
    PID: 1004 ( 736) C:\WINDOWS\System32\svchost.exe
    PID: 1068 ( 736) svchost.exe
    PID: 1220 ( 736) svchost.exe
    PID: 1412 ( 736) C:\WINDOWS\system32\spoolsv.exe
    PID: 1664 ( 736) C:\Apps\ActivBoard\nhksrv.exe
    PID: 1716 ( 736) C:\WINDOWS\runservice.exe
    PID: 1736 ( 736) C:\Program Files\Panda Software\Panda Platinum Internet Security\passrv.exe
    PID: 2016 ( 736) C:\WINDOWS\System32\svchost.exe
    PID: 2064 (2692) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    PID: 2124 (3664) C:\Program Files\Panda Software\Panda Platinum Internet Security\WebProxy.exe
    PID: 2292 ( 736) C:\WINDOWS\System32\cisvc.exe
    PID: 2488 ( 692) C:\Program Files\Common Files\Stardock\SDMCP.exe
    PID: 2532 ( 692) C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
    PID: 2664 (2692) C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    PID: 2692 (2632) C:\WINDOWS\Explorer.EXE
    PID: 2972 (1004) C:\WINDOWS\system32\wuauclt.exe
    PID: 3060 ( 736) msdtc.exe
    PID: 3404 (2692) C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    PID: 3568 (2692) C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
    PID: 3612 (2692) C:\Program Files\BUFFALO\Client Manager\ABRECEIVER\ABReceiver.exe
    PID: 3620 (2692) C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    PID: 3664 (2692) C:\Program Files\Panda Software\Panda Platinum Internet Security\APVXDWIN.EXE
    PID: 3764 (2692) C:\Program Files\MSN Messenger\msnmsgr.exe
    PID: 4000 (3664) C:\Program Files\Panda Software\Panda Platinum Internet Security\SRVLOAD.EXE
    Spybot - Search && Destroy process list report, 25/02/2005 22:55:02


    --- Browser start & search pages list ---
    Spybot - Search && Destroy browser pages report, 25/02/2005 22:55:02

    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
    C:\WINDOWS\system32\blank.htm
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.google.com
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
    %SystemRoot%\system32\blank.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
    http://www.google.com
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
    http://www.google.com
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
    http://www.google.com
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
    http://www.google.com
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchAssistant
    http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
    http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


    --- Winsock Layered Service Provider list ---
  • Buckeye_SamBuckeye_Sam Columbus, Ohio
    edited February 2005
    You have two options. You can go into your registry, find the two offending entries, and delete them manually. Or you can run a different program which might get rid of them for you. I would suggest running Adaware first.

    Please follow these instructions to run Adware.
    • Download, install, update, configure, and run Ad-Aware SE Personal 1.05.
      1. Download Ad-Aware SE Personal 1.05:
      2. Install Ad-Aware SE Personal 1.05:
        • Double-click on aawsepersonal.exe to install the program.
        • Follow the default settings for installation.
        • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
      3. Update Ad-Aware SE Personal 1.05:
        • Double-click the Ad-Aware SE Personal icon on your desktop.
        • Click "Check for updates now" then click "Connect".
        • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
      4. Configure Ad-Aware SE Personal 1.05:
        • Click on the Gear button at the top of the window.
        • Click "General" on the left hand side to display the General Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Automatically save logfile"
            • "Automatically quarantine objects prior to removal"
            • "Safe Mode (always request confirmation)"
            • "Prompt to update outdated definitions" - change to 7 days from the default 14.
        • Click "Scanning" on the left hand side to display the Scan Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Scan within archives"
            • "Select drives & folders to scan" - select your hard drive(s).
            • "Scan active processes"
            • "Scan registry"
            • "Deep-scan registry"
            • "Scan my IE favorites for banned URLs"
            • "Scan my Hosts file"
        • Click "Advanced" on the left hand side to display the Advanced Settings box.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Move deleted files to Recycle Bin"
            • "Include additional object information"
            • "Include negligible objects information"
            • "Include environment information"
        • Click "Defaults" on the left hand side to display the Default Settings box.
          • Make sure these items have your preferred settings in them.:
            • "Default homepage"
            • "Default searchpage"
        • Click "Tweak" on the left hand side to display the Tweak Settings box.
          • Click the + (plus) sign next to the Log Files section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Include basic Ad-Aware settings in log file"
            • "Include additional Ad-Aware settings in log file"
            • "Include reference summary in log file"
            • "Include alternate data stream details in log file"
          • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Unload recognized processes & modules during scan"
            • "Scan registry for all users instead of current user only"
            • "Obtain command line of scanned processes"
          • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
          • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark:
            • "Always try to unload modules before deletion"
            • "During removal, unload Explorer and IE if necessary"
            • "Let Windows remove files in use at next reboot"
            • "Delete quarantined objects after restoring"
        • Once you are done with these settings, click "Proceed" to save them.
        • This will take you back to the main screen.
      5. Run Ad-Aware SE Personal 1.05:
        • Click the "Start" button.
        • Uncheck the "Search for negligible risk entries" entry.
        • Choose the "Use custom scanning options" scan mode.
        • Click the "Next" button.
        • Ad-Aware will begin to scan for malware residing on your computer.
        • Allow the scan to finish.
        • Right-click on any entry in the list and click "Select All" to select the whole list.
        • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

    Reboot, run a scan with Spybot and see if they still come up.
  • the_wise_llama
    edited February 2005
    Adaware didn't pick it up so I went into the registry and deleted.. Spybot isn't finding anything now :) Thanks for you help :thumbsup:
This discussion has been closed.