Annoying Spyware - I'm close to solving but need a little help please

Brutalboy99 · July 2005

Seems like every post I read has the same problem, nasty spyware that won't go away.

I have run Ad-Aware, Spybot 1.3, MS- Antispy, Norton Antivirus. All wit the latest updates. I have run HiJack this and eliminated the suspected items, but it keeps changing the name. see log below and any help is most appreciated. Also this laptop is my daughter's and she downloads songs using Limewire, and plays them using Itunes. Any thoughts on if these are causing the multitude of spyware she gets. The Spyware programs are good, but she keeps getting the same ones over and over. Any thoughts around how to prevent them from getting here in the first place? Thanks again.
Brutalboy99

BTW, its an IBM Laptop, running Windows XP Pro. SP2.

Here's the log.
Logfile of HijackThis v1.98.2
Scan saved at 4:25:10 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\dqveyqo.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=192.168.100.3:80;http=192.168.100.3:80;ftp=192.168.100.3:80;gopher=192.168.100.3:80;socks=192.168.100.3:80;
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [sdbcwpx] c:\windows\system32\dqveyqo.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab

Buckeye_Sam · July 2005

You are using an outdated version of Hijackthis.
Please download the current version of Hijackthis and post a new hijackthis log.

http://www.short-media.com/download.php?d=245

Brutalboy99 · July 2005

Ok thanks for letting me know about the new versin of HJT. Here is the new log. Thanks for responding so quickly too.

Logfile of HijackThis v1.99.1
Scan saved at 7:53:22 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\nepkpxs.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=192.168.100.3:80;http=192.168.100.3:80;ftp=192.168.100.3:80;gopher=192.168.100.3:80;socks=192.168.100.3:80;
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [puzmgsl] c:\windows\system32\nepkpxs.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Brutalboy99 · July 2005

Ok, I have re-run all my spyware programs, Spybot 1.3, ad-Aware, MS- AntiSpy, WCShredder, Norton Antivirus. As usual it eliminated losts of spyware and a few trojan horsed. however there remains a few spywares like Huntbar, which I have never been able to remove. I have re-run HJT and copied below.

Thank you for all of your help. As I mentioned earlier this is my daughter's laptop and she claims "only" to download songs using Limewire and plays them using ITunes. Do you think this is why she is getting so much spyware? I would like to know how to prevent this from happening. Looking for your advice hopefully after we cure this pc. She has an IBM laptop running XP Pro. Thanks again.
John a.k.a. Brutalboy99

Logfile of HijackThis v1.99.1
Scan saved at 1:47:06 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\yulave.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=192.168.100.3:80;http=192.168.100.3:80;ftp=192.168.100.3:80;gopher=192.168.100.3:80;socks=192.168.100.3:80;
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [dvdlix] c:\windows\system32\yulave.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Shadow2018 · July 2005

You should update Ad-Aware se to the newest version of 1.06 if you do not have it and update Spybot S&D to the latest version of 1.4.

http://majorgeeks.com/Ad-Aware_SE_Personal_d506.html

http://majorgeeks.com/SpyBot-Search_&_Destroy_d2471.html

Brutalboy99 · July 2005

OK, I have updated Ad-Aware 1.6 & Spybot 1.4 and ran both. cleaned up some more spyware but still left some. Here is the latest HJT log.

Thanks for the help. Also appreciate any help with preventive ideas. As indicated earlier this is my daughter's laptop and she claims only to download songs using Limewire (which I was led to beleive contained no spyware), she then uses ITunes to play the songs.

Her's the log, look forward to the help, thanks again.

John (Brutalboy99)

Logfile of HijackThis v1.99.1
Scan saved at 5:02:48 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
c:\windows\system32\pdkcaj.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=192.168.100.3:80;http=192.168.100.3:80;ftp=192.168.100.3:80;gopher=192.168.100.3:80;socks=192.168.100.3:80;
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mbmgske] c:\windows\system32\pdkcaj.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam · July 2005

Using Limewire for file sharing definitely increases your risk for malware infection. Let's get you cleaned up and then I'll give you some ideas for protection.

Please make sure that you can VIEW ALL HIDDEN FILES.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [mbmgske] c:\windows\system32\pdkcaj.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

c:\windows\system32\pdkcaj.exe
C:\WINDOWS\svcproc.exe

Reboot your computer to go back to normal mode and post a new log.

Brutalboy99 · July 2005

ok, I have run HJT and eliminated as indicated, however I see I still have the problem. See attached HJT. Thanks.

John

Logfile of HijackThis v1.99.1
Scan saved at 3:30:23 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\glalpeq.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=192.168.100.3:80;http=192.168.100.3:80;ftp=192.168.100.3:80;gopher=192.168.100.3:80;socks=192.168.100.3:80;
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [bvhglmd] c:\windows\system32\glalpeq.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam · July 2005

Please run at least two of these online scans.
Make sure they are set to clean automatically

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.

Reboot and post a new hijackthis log and the info from your virus scans.

Brutalboy99 · July 2005

Ok I ran Panda Virus & BitDefender but not sure what you wanted me to post. So
here is the HJT log and the two logs from the virus scans. Thank yo for all your help, I really appreciate it, and can't beleive the time it takes to clean these pcs. You guys are great!!

Logfile of HijackThis v1.99.1
Scan saved at 8:21:34 PM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\windows\system32\vfzapw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=192.168.100.3:80;http=192.168.100.3:80;ftp=192.168.100.3:80;gopher=192.168.100.3:80;socks=192.168.100.3:80;
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [irvuctu] c:\windows\system32\vfzapw.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Here is the Panda Virus log:

Incident Status Location

Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:Adware/Transponder No disinfected c:\windows\system32\lzpulw.exe
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\system32\cd_clint.dll
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite.dll
Spyware:Spyware/ShopNav No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Home\Application Data\Lycos
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/MBKWBar No disinfected Windows Registry
Adware:Adware/Aurora No disinfected C:\WINDOWS\nail.exe
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Home\Local Settings\Temp\temp.frC5A1
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\A0AJTULL\adopt[7].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\6HWH2MC2\script[2]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\6HWH2MC2\script[4]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\QUWFZS9L\adopt[1].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Home\Local Settings\Temporary Internet Files\Content.IE5\NI18TNN3\adopt[8].htm
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI623B.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI4C18.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI4C18.tmp\farmmext.ini
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI1FA8.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI4DE5.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI670E.tmp\zserv.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI270B.tmp\farmmext.ini
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI46B4.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI79BC.tmp\zserv.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI296C.tmp\farmmext.ini
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI31AF.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI77C5.tmp\zserv.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI6DC9.tmp\farmmext.ini
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI5010.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI3CAD.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI15F0.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI73D6.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI5011.tmp\zserv.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI1069.tmp\farmmext.ini
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI40BE.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI349.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI662.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI3A1A.tmp\zserv.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI3843.tmp\farmmext.ini
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI4EBA.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI1929.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI5179.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THICDE.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI295D.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI1C7C.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI38F3.tmp\zserv.inf
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI4373.tmp\zserv.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI6DA3.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI3B80.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI7C66.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI67AD.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI107A.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI30A3.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI30A3.tmp\dlmax.inf
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI5EA9.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI7BA0.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI633A.tmp\dlmax.inf
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI378B.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI378B.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI5387.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI7DD2.tmp\dlmax.inf
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THIC3C.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI6589.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI3801.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI68F9.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI42A2.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI6BD.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI3D44.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI66A8.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI1FC8.tmp\dlmax.inf
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI7D28.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI3F56.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI30C4.tmp\dlmax.inf
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI54E7.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI2560.tmp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI3FD9.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI419E.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI75E.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI654B.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI23C2.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THIA32.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI25AB.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI15C5.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI702F.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI6235.tmp\dlmax.inf
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI76A5.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI6ADE.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI637C.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI6065.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI280A.tmp\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Student\Local Settings\Temp\THI3E04.tmp\farmmext.ini
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi2.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\biini.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\svcproc.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\lzpulw.exe
Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\system32\cd_clint.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\DrPMon.dll
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\kyf.dat
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\DrPMon.dll_tobedeleted
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\bi2.exe
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite.dll
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite2.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\system32\edow.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\system32\ib1s.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\Nail.exe
Adware:Adware/IEDriver No disinfected C:\td.exe

Brutalboy99 · July 2005

Here is the BitDefender log:
BitDefender Online Scanner

Scan report generated at: Sun, Jul 10, 2005 - 19:03:22
Scan path: C:\;D:\;
Statistics
Time
01:07:57
Files
247858
Folders
4053
Boot Sectors
2
Archives
2062
Packed Files
25808

Results
Identified Viruses
17
Infected Files
59
Suspect Files
1
Warnings
0
Disinfected
0
Deleted Files
110
Engines Info
Virus Definitions
193558
Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins
13
Archive plugins
39
Unpack plugins
4
E-mail plugins
6
System plugins
1
Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\WINDOWS\svcproc.exe
Infected with: Trojan.Stervis.C

C:\WINDOWS\svcproc.exe
Disinfection failed

C:\WINDOWS\svcproc.exe
Deleted

C:\WINDOWS\system32\lzpulw.exe
Infected with: Trojan.Agent.AY

C:\WINDOWS\system32\lzpulw.exe
Disinfection failed

C:\WINDOWS\system32\lzpulw.exe
Delete failed

C:\WINDOWS\system32\DrPMon.dll
Infected with: Trojan.Agent.DB

C:\WINDOWS\system32\DrPMon.dll
Disinfection failed

C:\WINDOWS\system32\DrPMon.dll
Delete failed

C:\WINDOWS\system32\KVIF_7.dll
Infected with: Trojan.Downloader.Keenval.E

C:\WINDOWS\system32\KVIF_7.dll
Disinfection failed

C:\WINDOWS\system32\KVIF_7.dll
Deleted

C:\WINDOWS\system32\edow.exe
Infected with: Trojan.Downloader.QDown.B

C:\WINDOWS\system32\edow.exe
Disinfection failed

C:\WINDOWS\system32\edow.exe
Deleted

C:\WINDOWS\Nail.exe
Detected with: Adware.Nail.A

C:\WINDOWS\Nail.exe
Disinfection failed

C:\WINDOWS\Nail.exe
Deleted

C:\WINDOWS\vmqrclv.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\WINDOWS\vmqrclv.exe
Disinfection failed

C:\WINDOWS\vmqrclv.exe
Deleted

C:\WINDOWS\td.exe
Suspected of: BehavesLike:Trojan.Downloader

C:\WINDOWS\td.exe
Disinfection failed

C:\WINDOWS\td.exe
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58903FD5.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Stubby.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58903FD5.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58903FD5.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D795A66.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Intexp.C

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D795A66.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0D795A66.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58D85B86.exe=>(Quarantine-2)
Infected with: Trojan.Spybi

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58D85B86.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58D85B86.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\63160E40.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Stubby.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\63160E40.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\63160E40.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68B33813.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Intexp.C

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68B33813.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68B33813.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69915F1F.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Intexp.C

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69915F1F.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69915F1F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6994091B.dll=>(Quarantine-2)
Infected with: Trojan.Imiserv.C.DLL

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6994091B.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6994091B.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\699E0710.exe=>(Quarantine-2)
Infected with: Trojan.Bettinet.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\699E0710.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\699E0710.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69A1310D.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69A1310D.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69C254E9.exe=>(Quarantine-2)
Infected with: Win32.Agent.NN

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69C254E9.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69C254E9.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18BE6045.dll=>(Quarantine-2)
Infected with: Trojan.Bettinet.172032.DLL

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18BE6045.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18BE6045.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\249B6737.exe=>(Quarantine-2)
Infected with: Trojan.Agent.CP

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\249B6737.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\249B6737.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28414F33.dll=>(Quarantine-2)
Infected with: Trojan.Imiserv.C.DLL

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28414F33.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28414F33.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B3331F5.exe=>(Quarantine-2)
Infected with: Win32.Agent.NN

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B3331F5.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B3331F5.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B577FCE.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B577FCE.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B5A29CA.dll=>(Quarantine-2)
Infected with: Trojan.Bettinet.172032.DLL

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B5A29CA.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B5A29CA.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D44330.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D44330.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45D44330.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45E16B21.exe=>(Quarantine-2)
Infected with: Trojan.Spybi

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45E16B21.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\45E16B21.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46010EFD.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\46010EFD.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\679F0087.exe=>(Quarantine-2)
Infected with: Trojan.Spybi

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\679F0087.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\679F0087.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C230F8E.dll=>(Quarantine-2)
Infected with: Trojan.Imiserv.C.DLL

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C230F8E.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C230F8E.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F26443E.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F26443E.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F2D1837.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F2D1837.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F2D1837.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\11676914.dll=>(Quarantine-2)
Infected with: Trojan.Imiserv.C.DLL

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\11676914.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\11676914.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\147E19AE.exe=>(Quarantine-2)
Infected with: Trojan.Spybi

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\147E19AE.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\147E19AE.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\14911599.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\14911599.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\14911599.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\14AF0F78.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\14AF0F78.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2ED3653B.dll=>(Quarantine-2)
Infected with: Trojan.Imiserv.C.DLL

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2ED3653B.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2ED3653B.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\30194BD4.exe=>(Quarantine-2)
Infected with: Trojan.Spybi

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\30194BD4.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\30194BD4.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33365067.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33365067.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33365067.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33544A47.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33544A47.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FB73486.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FB73486.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FB73486.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FD10469.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2FD10469.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09FA3931.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09FA3931.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09FA3931.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A1A5D0E.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0A1A5D0E.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7C75585A.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7C75585A.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7C75585A.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7DB240FE.exe=>(Quarantine-2)
Infected with: Trojan.Spybi

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7DB240FE.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7DB240FE.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7DC212EC.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7DC212EC.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\522326E7.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\522326E7.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\522326E7.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\523478D5.exe=>(Quarantine-2)
Infected with: Trojan.Spybi

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\523478D5.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\523478D5.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\565C7041.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\565C7041.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\565F1A3D.dll=>(Quarantine-2)
Infected with: Trojan.Imiserv.C.DLL

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\565F1A3D.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\565F1A3D.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\36A473B8.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\36A473B8.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\36A473B8.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B2C2CBC.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3B2C2CBC.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5A830638.htm=>(Quarantine-2)
Infected with: Trojan.Exploit.Html.MHT

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5A830638.htm=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5A830638.htm=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74F4031E.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74F4031E.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74F4031E.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\76BD7927.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Intexp.C

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\76BD7927.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\76BD7927.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A254367.dll=>(Quarantine-2)
Infected with: Trojan.Imiserv.C.DLL

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A254367.dll=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A254367.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A361555.exe=>(Quarantine-2)
Infected with: Trojan.Spybi

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A361555.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A361555.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A433D47.exe=>(Quarantine-2)
Infected with: Trojan.Betterinternet.W

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A433D47.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69717376.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69717376.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\69717376.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\518C632F.exe=>(Quarantine-2)
Detected with: Adware.Nail.A

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\518C632F.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\518C632F.exe=>(Quarantine-2)
Deleted

Buckeye_Sam · July 2005

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Step 1
Please download the trial version of Ewido Security Suite
Install it, and download all updates. Then exit Ewido once all updates are installed.

Step 2
Please download and install Cleanup 4.0, but do not run it yet.

Step 3
Please download the Nail/Aurora Spyware Fix from NoIdea.US. (Alternate download link: dknoppix mirror)
Unzip it to the desktop but do NOT run yet.

Step 4
Reboot your computer into Safe Mode

Step 5
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Step 6
Please double-click on nailfix.cmd that you unzipped earlier. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Step 7
Run CleanUp 4.0 that you installed earlier.

Step 8
Run a full scan with Ewido, remove anything found, and then restart into normal mode and post the logfile from the scan for me.

Step 9
Now open up Hijackthis. Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = https=192.168.100.3:80;http=192.168.100.3:80;ftp=1 92.168.100.3:80;gopher=192.168.100.3:80;socks=192. 168.100.3:80;
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [irvuctu] c:\windows\system32\vfzapw.exe r
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Step 10
Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\svcproc.exe
C:\WINDOWS\Nail.exe
c:\windows\system32\vfzapw.exe
C:\WINDOWS\system32\DrPMon.dll
c:\windows\system32\lzpulw.exe
C:\WINDOWS\system32\cd_clint.dll
C:\WINDOWS\system32\Xcite.dll
C:\Documents and Settings\Home\Application Data\Lycos
C:\WINDOWS\system32\fiz1
C:\WINDOWS\inf\dlmax.inf
C:\WINDOWS\inf\bi2.inf
C:\WINDOWS\inf\biini.inf
C:\WINDOWS\system32\kyf.dat
C:\WINDOWS\system32\DrPMon.dll_tobedeleted
C:\WINDOWS\system32\bi2.exe
C:\WINDOWS\system32\Xcite2.exe
C:\WINDOWS\system32\edow.exe
C:\WINDOWS\system32\ib1s.dll
C:\td.exe

Restart your computer and please post a new HijackThis log and the Ewido log.

Brutalboy99 · July 2005

Ok, Ran the 10 step process above. I can't believe how many temp files Cleanup 4.0 removed (50,000 + files, plus 518MB). I currently use Norton Systemworks which i thought removed the temp files!

Anyway here are the HJT & Ewido logs. As always thanks for allyour help. I guess I wasn't as close as I originally thought! However it has been a learning expereince, thanks again.
BB

HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:19:23 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Ewido Log:

ewido security suite - Scan report

+ Created on: 9:23:53 PM, 7/11/2005
+ Report-Checksum: 8D3D8CCA

+ Scan result:

HKLM\SOFTWARE\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1A00C40B-DA85-4aa3-A67F-582D9347EECD} -> Spyware.iSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-2136417557-516276246-1282138258-1005\Software\intexp -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-2136417557-516276246-1282138258-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-2136417557-516276246-1282138258-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-2136417557-516276246-1282138258-1005\Software\Support Software -> Spyware.NetworkEssentials : Cleaned with backup
C:\Recycled\NPROTECT\00072211.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072214.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072220.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072222.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072224.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072226.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072228.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072231.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072234.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072236.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072238.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072240.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072243.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072246.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072248.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072250.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072252.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072255.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072258.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072261.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072402.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072404.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072408.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072783.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\Recycled\NPROTECT\00072853 -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073163.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073190.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\Recycled\NPROTECT\00073191.dll -> Spyware.ImiBar : Cleaned with backup
C:\Recycled\NPROTECT\00071677.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071756.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071760.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071764.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071773.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071777.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071780.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071783.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071787.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071790.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071793.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071796.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071800.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071804.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071807.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071810.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071814.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071818.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071821.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071824.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071828.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071885.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071886.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071887.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071894.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071897.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071899.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071904.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071909.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071917.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071925.EXE -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071930.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071941.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071942.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071949.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071954.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071960.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071964.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072043.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072049.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072075.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\Recycled\NPROTECT\00072084.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072085.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072099.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072141.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072148.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072152.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072155.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072158.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072161.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072173.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072175.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072177.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072180.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072183.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072186.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072195.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072198.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072205.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072208.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072264.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072267.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072269.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072271.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072273.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072275.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072278.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072281.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072285.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072288.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072292.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072294.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072526.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072545.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072577.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072589.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072595.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00072691.DLL -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073005.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073006.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073025.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073032.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073156.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073192.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\Recycled\NPROTECT\00073582.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073585.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073626.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073646.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073656.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073817.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073820.exe -> TrojanDownloader.QDown.B : Cleaned with backup
C:\Recycled\NPROTECT\00073821.EXE -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00073831.exe/Files/3.exe -> Spyware.IEDriver : Cleaned with backup
C:\Recycled\NPROTECT\00073831.exe/Files/5.exe -> TrojanDownloader.Turown : Cleaned with backup
C:\Recycled\NPROTECT\00073831.exe/Files/sx.htm -> Spyware.TwainTech : Cleaned with backup
C:\Recycled\NPROTECT\00074105.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074134.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074151.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074157.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074162.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074168.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074172.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074175.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074180.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074184.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074188.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074193.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074198.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074201.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074205.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074209.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074214.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074217.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074221.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074226.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074231.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074234.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074251.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074638 -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074648 -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\Recycled\NPROTECT\00074649 -> Trojan.Imiserv.c : Cleaned with backup
C:\Recycled\NPROTECT\00074650 -> Spyware.ImiBar : Cleaned with backup
C:\Recycled\NPROTECT\00074659 -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074707.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074728.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074789.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074811.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074868.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074891.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074924.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00074938.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071247.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071253 -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071254 -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071273.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071279.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071284.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071290.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071299.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071305.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071309.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071311.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071315.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071326.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071329.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071332.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071335.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071339.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071341.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071344.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071347.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071350.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071353.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071356.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071359.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071362.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071368.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071372.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071382.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071403.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071406.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071409.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071412.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071415.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071418.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071421.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071424.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071429.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071432.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071436.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071448.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071465.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071470.exe -> Adware.BetterInternet : Cleaned with backup
C:\Recycled\NPROTECT\00071480.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\gifmzk.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\PLSRemote.exe -> Not-A-Virus.RiskWare.RemoteAdmin.PLSRemot : Cleaned with backup
C:\WINDOWS\system32\bi2.exe/bi.dll -> Spyware.BiSpy : Cleaned with backup
C:\WINDOWS\system32\bi2.exe/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
C:\WINDOWS\system32\BO2802040113.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\ib1s.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\968A02F3-1A02-4093-AD8F-BF0874\61135C2F-99C8-4F48-9137-004988 -> Adware.BetterInternet : Cleaned with backup
C:\td.exe/Files/3.exe -> Spyware.IEDriver : Cleaned with backup
C:\td.exe/Files/5.exe -> TrojanDownloader.Turown : Cleaned with backup
C:\td.exe/Files/sx.htm -> Spyware.TwainTech : Cleaned with backup

::Report End

Buckeye_Sam · July 2005

You have WinPatrol running at startup, which is a good. But it can actually block the changes that Hijackthis makes. Please disable it for this part of the fix.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

===========

Click Start -> Run -> (type) services.msc

Scroll down and find the service called System Startup Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.

SvcProc

Reboot and post a new hijackthis log.

Brutalboy99 · July 2005

Ok, Sam:
Here you go, looks like still have issues. As always thanks for the continued support. I appreciate it.
John

Logfile of HijackThis v1.99.1
Scan saved at 11:40:36 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam · July 2005

In addition to disabling Win Patrol you also need to to disable Microsoft's Antispyware.

-Open Microsoft AntiSpyware.
-Click on Tools, Settings.
-In the left pane, click on Real-time Protection.
-Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
-Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
-After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
-Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Open up Task manager by clicking CTRL - ALT - DELETE and stop these processes if they are still there.

gcasServ.exe
gcasDtServ.exe

Fix this line with hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

Reboot and post a new hijackthis log. Let me know of any problems that you are still having.

Brutalboy99 · July 2005

Sam:
Here you go, but looks like this sidesearch just doesn't want to die!

By the way I closed Win Patrol, Ms AntiSpy, and Ewido before running HJT, As always thanks for the continued support.
John

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 8:06:47 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Buckeye_Sam · July 2005

Reboot into Safe Mode and fix this line with hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

Reboot and post a new hijackthis log. Are you experiencing any problems now?

Brutalboy99 · July 2005

Sam:
Ok just back from vacation. Sorry I wasn'table to post until now. Looks like I still have an issue with side search. Here is the latest HJT log. as always tanks for the continued support.

John

Logfile of HijackThis v1.99.1
Scan saved at 5:28:30 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\hijackthis_199\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1094516678025
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://www.webgateinc.com/wizard/control/10135/wg_webeye.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: PLSRemote Service (PLSRemoteSvc) - Unknown owner - C:\WINDOWS\SYSTEM32\PLSRemote.exe (file missing)
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Annoying Spyware - I'm close to solving but need a little help please

Comments