WinAntivirus 2005, HJT Log, please help!

Unknown
edited December 2005 in Spyware & Virus Removal
Hello, I'm hoping someone can help me with this problem.

I'm a tech (among other things) and my boss's college-age son's computer was so overrun with popups, spyware, adware from his...ummm..."extracurricular" internet usage that guess who gets to work on a Sunday to try to figure it all out? Now normally with a system this messed up, I would just backup, reformat, and restore, but like most irresponsible youth, he has no idea where his CD's are and he has a precious 4 GB Ipod & 500MB "extracurricular" collection that he doesn't want to risk losing.

So here's the vital info: XP Home Sp2, all critical updates applied, firewall running

Here's what I've done: SpyBot Search & Destroy (ran until clean), AdAware (ran until clean), AVG Antivirus (ran until clean), AboutBuster (no infection), CWShredder (no infection)

Still there is the pesky WinAntivirus2005, which will not seem to go away and popups galore when on the internet (IE6)...

Last but not least is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:26:50 AM, on 12/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Updater.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\WINDOWS\system32\lqkcibiy\omesxdpw.exe
C:\WINDOWS\system32\yfrbkon\uysfd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\gjkxvn\epsju.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ygdo\faoksa.exe
C:\WINDOWS\system32\hfcb\xhsk.exe
C:\program files\tvs\tvs_b.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\acai\weaa.exe
C:\WINDOWS\system32\r?gsvr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\cleanup\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insignia-products.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\prefs.js)
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {DA6F1837-DBAA-8D0A-8BAB-D628E65436C2} - C:\WINDOWS\system32\uowozcn.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [omesxdpw] C:\WINDOWS\system32\lqkcibiy\omesxdpw.exe
O4 - HKLM\..\Run: [uysfd] C:\WINDOWS\system32\yfrbkon\uysfd.exe
O4 - HKLM\..\Run: [epsju] C:\WINDOWS\system32\gjkxvn\epsju.exe
O4 - HKLM\..\Run: [xhsk] C:\WINDOWS\system32\hfcb\xhsk.exe
O4 - HKLM\..\Run: [faoksa] C:\WINDOWS\system32\ygdo\faoksa.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
O4 - HKLM\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2005\AVTray.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [installer.exe] C:\Documents and Settings\zach edwards\Application Data\System Restore\installer.exe
O4 - HKCU\..\Run: [ZQInContextactx1.exe] C:\WINDOWS\system32\ZQInContextactx1.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [Rcsh] "C:\Program Files\acai\weaa.exe" -vt yazr
O4 - HKCU\..\Run: [Fqa] C:\WINDOWS\system32\r?gsvr32.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [frio] C:\Program Files\Common Files\frio\friom.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0003.exe
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005\AVSchSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
O23 - Service: xhskhfcb - Unknown owner - C:\WINDOWS\system32\hfcb\xhsk.exe

Again, any help you can supply is greatly appreciated! :)

Comments

  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Please visit at least two of the following sites for an online virus scan:

    BitDefender Free Online Virus Scan
    http://www.bitdefender.com/scan/licence.php
    Make sure you tick AutoClean under Scan Options.

    Panda ActiveScan
    http://www.pandasoftware.com/activescan/com/activescan_principal.htm
    Make sure you tick Disinfect automatically under Scan Options.

    Housecall at TrendMicro
    http://housecall.trendmicro.com/housecall/start_corp.asp
    Make sure you tick Auto Clean.

    eTrust Antivirus Web Scanner
    http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

    ==

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.
    Next, please reboot your computer in Safe Mode by doing the following:
    1) Restart your computer
    2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3) Instead of Windows loading as normal, a menu should appear
    4) Select the first option, to run Windows in Safe Mode.

    For additional help in booting into Safe Mode, see the following site:
    http://www.pchell.com/support/safemode.shtml

    Once in Safe Mode, please run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

    Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
  • arabella79
    edited December 2005
    Thanks for you prompt reply. I ran all 4 of the recommended virus scans, as well as Ewido. Here's the Ewido log:
    ewido security suite - Scan report

    + Created on: 2:21:54 PM, 12/6/2005
    + Report-Checksum: B7AD48E6

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InternetOffers -> Spyware.LZIO : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreenSaver Manager -> Spyware.LZIO : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000277A3-7D84-406A-9799-D12A81594693} -> Spyware.SearchFast : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5AA06644-BC46-4220-A460-47A6EB47C96D} -> Spyware.NavExcel : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} -> Spyware.NavExcel : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D80C4E21-C346-4E21-8E64-20746AA20AEB} -> Spyware.NavExcel : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{000277A3-7D84-406A-9799-D12A81594693} -> Spyware.SearchFast : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5AA06644-BC46-4220-A460-47A6EB47C96D} -> Spyware.NavExcel : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} -> Spyware.NavExcel : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D80C4E21-C346-4E21-8E64-20746AA20AEB} -> Spyware.NavExcel : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
    C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr419D\Ssk.exe -> Adware.SurfSide : Cleaned with backup
    C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr419D\SskBho.dll -> Adware.SurfSide : Cleaned with backup
    C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr419D\SskCore.dll -> Adware.SurfSide : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@www.epilot[1].txt -> Spyware.Cookie.Epilot : Cleaned with backup
    C:\Documents and Settings\LocalService\Cookies\system@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    :mozilla.6:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.7:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.8:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.9:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.10:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    :mozilla.11:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    :mozilla.12:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    :mozilla.13:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    :mozilla.18:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
    :mozilla.19:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    :mozilla.20:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.21:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
    :mozilla.35:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
    :mozilla.36:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    :mozilla.41:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    :mozilla.42:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    :mozilla.43:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    :mozilla.44:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    :mozilla.46:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    :mozilla.47:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
    :mozilla.51:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
    :mozilla.52:C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@ad.yieldmanager[2].txt[/email] -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@adopt.specificclick[2].txt[/email] -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@advertising[2].txt[/email] -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@as-us.falkag[1].txt[/email] -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@centrport[1].txt[/email] -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@citi.bridgetrack[2].txt[/email] -> Spyware.Cookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@com[2].txt[/email] -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@data1.perf.overture[1].txt[/email] -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@edge.ru4[1].txt[/email] -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@perf.overture[1].txt[/email] -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@statcounter[2].txt[/email] -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@trafficmp[2].txt[/email] -> Spyware.Cookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@tribalfusion[2].txt[/email] -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\zach edwards\Cookies\zach [email]edwards@z1.adserver[1].txt[/email] -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\180sainstallernusalm.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\180sainstallernusalm.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\btnetw3.exe -> Not-A-Virus.Hoax.Win32.SpyWare.b : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\dkw412A.tmp.tst -> Trojan.EliteBar.d : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\i5C.tmp -> Adware.SurfSide : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\ICD2.tmp\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\ICD3.tmp\UWAS5LP_0001_0811NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\NE38.tmp/NHelper.dll -> Spyware.NavExcel : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\NE38.tmp/NHUninstaller.exe -> Spyware.NavExcel : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\NE38.tmp/navapp.exe -> Spyware.NavExcel : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\res122.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\res19F.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\Documents and Settings\zach edwards\Local Settings\Temp\VVSNInst.exe -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\DealBar\BarLcher.dll -> Spyware.ActivShopper : Cleaned with backup
    C:\Program Files\Ftk\f.bak -> Spyware.FlashEnhancer : Cleaned with backup
    C:\Program Files\Ftk\ftk.dll -> Spyware.FlashEnhancer : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc104.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc130.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc136.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc137.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc138.txt -> Spyware.Cookie.Valuead : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc139.txt -> Spyware.Cookie.Adtrak : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc141.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc142.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc143.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc150.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc160.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc163.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc17.txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc178.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc18.txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc181.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc182.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc184.txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc192.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc196.txt -> Spyware.Cookie.Revenue : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc198.txt -> Spyware.Cookie.Valuead : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc202.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc21.txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc212.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc214.txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc22.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc240.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc253.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc275.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc292.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc299.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc300.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc301.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc302.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc303.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc304.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc305.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc306.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc308.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc311.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc320.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc329.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc330.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc331.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc332.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc336.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc345.txt -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc347.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc352.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc358.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc361.txt -> Spyware.Cookie.Bfast : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc370.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc371.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc374.txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc397.txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc398.txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc399.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc405.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc410.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc411.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc414.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc416.txt -> Spyware.Cookie.Clickhype : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc43.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
    C:\RECYCLER\S-1-5-21-2382175176-2131790632-435422563-1006\Dc441.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWFX5NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\UWAS5LP_0001_0811NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\UWFX5_0001_LP1014NetInstaller.exe -> Not-A-Virus.Downloader.Agent.d : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\UWFX5_0001_N53L1025NetInstaller.exe -> Not-A-Virus.Downloader.Agent.f : Cleaned with backup
    C:\WINDOWS\Justin.exe -> Dropper.Agent.abb : Cleaned with backup
    C:\WINDOWS\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
    C:\WINDOWS\system32\fran-hot.exe -> Dropper.Agent.abb : Cleaned with backup
    C:\WINDOWS\system32\kmqlk.dll -> Downloader.Qoologic.ak : Cleaned with backup
    C:\WINDOWS\system32\nsj42.dll -> Adware.EZula : Cleaned with backup
    C:\WINDOWS\temp\99_app99.exe -> Dropper.Agent.xw : Cleaned with backup
    C:\WINDOWS\temp\selassix.tmp -> Spyware.SafeSurfing : Cleaned with backup
    C:\WINDOWS\whCC-GIANT.exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup


    ::Report End




    and here's the HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:31:10 PM, on 12/6/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Updater.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\WINDOWS\system32\lqkcibiy\omesxdpw.exe
    C:\WINDOWS\system32\yfrbkon\uysfd.exe
    C:\WINDOWS\system32\ygdo\faoksa.exe
    C:\program files\tvs\tvs_b.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\acai\weaa.exe
    C:\WINDOWS\system32\r?gsvr32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\hfcb\xhsk.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\cleanup\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insignia-products.com
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\prefs.js)
    O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {DA6F1837-DBAA-8D0A-8BAB-D628E65436C2} - C:\WINDOWS\system32\uowozcn.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
    O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [omesxdpw] C:\WINDOWS\system32\lqkcibiy\omesxdpw.exe
    O4 - HKLM\..\Run: [uysfd] C:\WINDOWS\system32\yfrbkon\uysfd.exe
    O4 - HKLM\..\Run: [xhsk] C:\WINDOWS\system32\hfcb\xhsk.exe
    O4 - HKLM\..\Run: [faoksa] C:\WINDOWS\system32\ygdo\faoksa.exe
    O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
    O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
    O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
    O4 - HKLM\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
    O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2005\AVTray.exe
    O4 - HKCU\..\Run: [installer.exe] C:\Documents and Settings\zach edwards\Application Data\System Restore\installer.exe
    O4 - HKCU\..\Run: [ZQInContextactx1.exe] C:\WINDOWS\system32\ZQInContextactx1.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
    O4 - HKCU\..\Run: [Rcsh] "C:\Program Files\acai\weaa.exe" -vt yazr
    O4 - HKCU\..\Run: [Fqa] C:\WINDOWS\system32\r?gsvr32.exe
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccess/ie/bridge-c5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0003.exe
    O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005\AVSchSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
    O23 - Service: xhskhfcb - Unknown owner - C:\WINDOWS\system32\hfcb\xhsk.exe

    Let me know what else I should do, and thanks in advance :)
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Can you please do the following.

    Run the PurityScan uninstaller.

    ==

    Please download LQfix.exe from one of the following locations:

    http://www.downloads.subratam.org/LQfix.exe
    http://miekiemoes.geekstogo.com/tools/LQfix.exe

    Save it to your desktop.
    • Double-Click LQfix.exe and click Next > Next > Install.
    • Leave the default settings, if you change them, the fix will Fail!
    • You need an active Internet connection, so make sure your connection is enabled.
    • Now make sure the "Launch LQfix" box is checked.
    • Click the Finish button, after clicking the Finish button the fix will start.
    • Follow the on-screen prompts.
    • Your system will reboot afterwards.
    • Please be patient after the reboot, there is a script running in the background that needs to complete.

    ===============

    Go to Add/Remove programs and remove(uninstall) the following, if present:

    SurfSideKick

    The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

    ===============

    Next, Open a command prompt by:

    1. Clicking "Start", then "Run...".
    2. Enter "cmd" (without the quotes).
    3. Enter "services.msc" (without the quotes).

    -

    Now, locate and 'stop' the following services, if present:

    xhskhfcb owner ... (C:\WINDOWS\system32\hfcb\xhsk.exe)

    Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

    ===============

    Run HiJackThis then:

    1. Click "Open the Misc Tools Section"
    2. Click "Open Process manager"

    -

    Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

    C:\WINDOWS\system32\lqkcibiy\omesxdpw.exe
    C:\WINDOWS\system32\yfrbkon\uysfd.exe
    C:\WINDOWS\system32\ygdo\faoksa.exe
    C:\program files\tvs\tvs_b.exe
    C:\Program Files\acai\weaa.exe
    C:\WINDOWS\system32\hfcb\xhsk.exe

    Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

    ===============

    Still in HiJackThis, click "Scan", then check(tick) the following, if present:


    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

    O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
    O2 - BHO: (no name) - {DA6F1837-DBAA-8D0A-8BAB-D628E65436C2} - C:\WINDOWS\system32\uowozcn.dll

    O4 - HKLM\..\Run: [omesxdpw] C:\WINDOWS\system32\lqkcibiy\omesxdpw.exe
    O4 - HKLM\..\Run: [uysfd] C:\WINDOWS\system32\yfrbkon\uysfd.exe
    O4 - HKLM\..\Run: [xhsk] C:\WINDOWS\system32\hfcb\xhsk.exe
    O4 - HKLM\..\Run: [faoksa] C:\WINDOWS\system32\ygdo\faoksa.exe
    O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
    O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
    O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINDOWS\srchupdt.exe
    O4 - HKLM\..\Run: [irassync] C:\WINDOWS\system32\irasyncd.exe
    O4 - HKCU\..\Run: [installer.exe] C:\Documents and Settings\zach edwards\Application Data\System Restore\installer.exe
    O4 - HKCU\..\Run: [ZQInContextactx1.exe] C:\WINDOWS\system32\ZQInContextactx1.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
    O4 - HKCU\..\Run: [Rcsh] "C:\Program Files\acai\weaa.exe" -vt yazr
    O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

    O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
    O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)

    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c5.cab
    O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia.com/install/pcs_0003.exe
    O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.com/ax/adwerkz.cab

    O20 - Winlogon Notify: jkhhh - C:\WINDOWS\system32\jkhhh.dll (file missing)

    O23 - Service: xhskhfcb - Unknown owner - C:\WINDOWS\system32\hfcb\xhsk.exe


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============


    When your done, rescan your system and make sure the following isn't present:

    N3 - Netscape ... 5CSBWeb_01.src (or) 5CSBWeb_02.src

    If it is, then fix that entry again; sometimes it'll take more than one pass. The actual entry is ok, and won't be deleted, it's the java wrapper marked in red that needs to be removed.

    ===============

    Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

    folders...

    C:\WINDOWS\system32\lqkcibiy
    C:\WINDOWS\system32\yfrbkon
    C:\WINDOWS\system32\ygdo
    C:\program files\tvs
    C:\Program Files\acai
    C:\WINDOWS\system32\hfcb
    C:\Program Files\SurfSideKick 3
    C:\WINDOWS\system32\hfcb

    files...

    C:\WINDOWS\system32\uowozcn.dll
    C:\Program Files\Common Files\Java\ftkcpy.exe
    C:\WINDOWS\srchupdt.exe
    C:\WINDOWS\system32\irasyncd.exe
    C:\Documents and Settings\zach edwards\Application Data\System Restore\installer.exe
    C:\WINDOWS\system32\ZQInContextactx1.exe
    C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe

    -

    Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    To help protect your system from hostile ActiveX content, or special 'downloadable' files:

    Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

    1) Check for any available updates; if present, they'll be automatically downloaded and installed.
    2) Next, "Enable all protection".
    3) Exit the program.

    -

    Note: Remember to regularly check for updates.

    ===============

    After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
  • arabella79
    edited December 2005
    Things are definitely better, however I notice that WinAntivirus2005 is still showing up under O10 in the HJT, not sure if that is a problem, but I would like to get rid of it. Here is the new log:


    Logfile of HijackThis v1.99.1
    Scan saved at 5:50:25 PM, on 12/6/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Updater.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\??chost.exe
    C:\Program Files\acai\weaa.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\cleanup\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insignia-products.com
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {89CF0592-9209-CAA7-2C01-CC891C7B3192} - C:\WINDOWS\system32\qezgdzd.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
    O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2005\AVTray.exe
    O4 - HKCU\..\Run: [Dfmgaz] C:\WINDOWS\system32\??chost.exe
    O4 - HKCU\..\Run: [Rcsh] "C:\Program Files\acai\weaa.exe" -vt ndrv
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005\mailscan.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005\AVSchSvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe

    Let me know what remains to do, and thanks!
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Did you run the PurityScan uninstaller? Doesn't look like you did??

    ==

    Can you please do the following.

    ===============

    Go to Add/Remove programs and remove(uninstall) the following, if present:

    WinAntiVirus 2005

    The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

    ===============

    Download LSPFix and unzip to your desktop, then run it. Now, we need to:

    1. check(tick) "I know what i'm doing".
    2. click on (highlight) each occurrence of the following, one at a time:

    mailscan.dll

    3. then click ">>", mo'ing each one, individually, to the 'Remove' pane.
    4. (double-check, and make sure that only the above files are in the 'Remove' pane.)
    5. click "Finish >>"


    ===============

    Now, let's open a command prompt by going to the start menu and then select 'Run'.

    In the box that pops up type in 'cmd'. The command prompt will open.

    OR

    You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

    regsvr32 /u qezgdzd.dll

    It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

    ===============

    Run HiJackThis then:

    1. Click "Open the Misc Tools Section"
    2. Click "Open Process manager"

    -

    Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

    C:\Program Files\acai\weaa.exe

    Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

    ===============

    Still in HiJackThis, click "Scan", then check(tick) the following, if present:


    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

    O2 - BHO: (no name) - {89CF0592-9209-CAA7-2C01-CC891C7B3192} - C:\WINDOWS\system32\qezgdzd.dll

    O4 - HKCU\..\Run: [Dfmgaz] C:\WINDOWS\system32\??chost.exe
    O4 - HKCU\..\Run: [Rcsh] "C:\Program Files\acai\weaa.exe" -vt ndrv

    O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005\AVSchSvc.exe


    Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

    ===============

    Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

    folders...

    C:\Program Files\acai
    c:\program files\winantivirus 2005

    files...

    C:\WINDOWS\system32\qezgdzd.dll

    -

    Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

    -

    Reboot.

    ===============

    After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
  • arabella79
    edited December 2005
    Hi again,

    Yes, I did the purity scan, and i followed all your instructions from your last post. Things seem to be cleaner, but I am still getting popups (even with IE 6 popup blocker running) This is not my computer, so I'm wondering if some application he's installed is causing the popups. Thanks for your help, and please let me know what's next. Here is the new HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:46:51 AM, on 12/7/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\mHotkey.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Updater.exe
    C:\WINDOWS\SM1BG.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\cleanup\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insignia-products.com
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\zach edwards\Application Data\Mozilla\Profiles\default\2qxbkn8i.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
    O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
    O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2005\AVTray.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111401/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Go to Start>Run and type in services.msc and make sure the messenger service is disabled. If not, set it to disabled.

    Go here and download then run Silent Runners.vbs. It generates a log. Please post the information back in this thread.
    If you have a script blocking program, please allow the file to run. It is not malicious.
  • arabella79
    edited December 2005
    Messenger was disabled in services.msc. Here is the Silent Runner Log:


    "Silent Runners.vbs", revision 41, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"


    Startup items buried in registry:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
    "IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
    "HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
    "CHotkey" = "mHotkey.exe" ["Chicony"]
    "SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [null data]
    "RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
    "Lexmark 5200 series" = ""C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"" ["Lexmark International, Inc."]
    "LXBTCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16" [MS]
    "FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [null data]
    "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
    "iRiver Updater" = "\Updater.exe" ["Moodlogic"]
    "SM1BG" = "C:\WINDOWS\SM1BG.EXE" ["Cypress Semiconductor"]
    "iTunesHelper" = "C:\Program Files\iTunes\iTunesHelper.exe" ["Apple Computer, Inc."]
    "BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" [file not found]
    "AVTray" = "C:\Program Files\WinAntiVirus 2005\AVTray.exe" [file not found]
    "AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
    -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
    "{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
    "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
    INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" [file not found]

    HKLM\Software\Classes\PROTOCOLS\Filter\
    INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
    mysqmnyg\(Default) = "{57fb28c9-72b1-4e1c-a84e-0d613f9c1b47}"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\kmqlk.dll" [file not found]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


    Active Desktop and Wallpaper:

    Active Desktop is disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\zach edwards\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


    Enabled Screen Saver:

    HKCU\Control Panel\Desktop\
    "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


    Winsock2 Service Provider DLLs:

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


    Toolbars, Explorer Bars, Extensions:

    Toolbars

    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{40D41A8B-D79B-43D7-99A7-9EE0F344C385}" = "AIM Search" [from CLSID]
    -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\AIM Toolbar\AIMBar.dll" ["America Online, Inc"]

    Explorer Bars

    Dormant Explorer Bars in "View, Explorer Bar" menu

    HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKCU\Software\Microsoft\Internet Explorer\Extensions\
    {AF6CABAB-61F9-4F12-A198-B7D41EF1CB52}\
    "ButtonText" = "WeatherBug"
    "CLSIDExtension" = "{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52}"
    "Exec" = "C:\Program Files\AWS\WeatherBug\Weather.exe" [file not found]

    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
    -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

    {85D1F590-48F4-11D9-9669-0800200C9A66}\
    "MenuText" = "Uninstall BitDefender Online Scanner v8"
    "Exec" = "%windir%\bdoscandel.exe" [null data]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\
    "ButtonText" = "Research"

    {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
    "ButtonText" = "AIM"
    "Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


    Miscellaneous IE Hijack Points

    C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

    Added lines (compared with English-language version):
    [Strings]: START_PAGE_URL=http://www.bestbuy.msn.com

    Missing lines (compared with English-language version):
    [Strings]: 1 line


    Running Services (Display Name, Service Name, Path {Service DLL}):

    AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
    AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
    AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
    ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
    HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
    iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
    Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


    Print Monitors:

    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    5200 Series Port\Driver = "lxbtlmpm.DLL" ["Lexmark International, Inc."]
    Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]
    Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
    took 42 seconds.
    + The search for all Registry CLSIDs containing dormant Explorer Bars
    took 17 seconds.
    (total run time: 101 seconds)

    :confused:
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    Other than an orphaned entry, I can see no cause for the continued popups :(. Can you identify the popups at all?
  • arabella79
    edited December 2005
    It's the wierdest thing, a couple of reboots after I posted that log, the popups have stopped. Thank you for all your help. There's no way I would have attempted a cleanup without it.


    THANKS!!! :)
  • CrunchieCrunchie Mandurah. Western Australia. Member
    edited December 2005
    You are welcome :).

    ==

    Now that your PC is clean you need to follow these easy steps to keeping it this way:

    Secure your Internet Explorer by going here and following the instructions there.

    Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

    Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

    Install and keep updated, Ad-Aware SE, and Spybot S&D.
    Run them both on a regular basis, following the manufacturer's recommendations.

    Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

    Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.


    Clear your Temp folders.
    Clear out your Temporary internet files and other temp files.
    Go to Start > Settings > Control Panel >Internet Options.
    Under the General tab click the Delete temporary internet files,
    delete all Offline content as well. Clear out Cookies.

    Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

    Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

    C:\Documents and Settings\username\Local Settings\Temp\

    In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

    Empty the Recycle Bin.

    For XP users.
    After something like this it is a good idea to Flush the Restore Points and start fresh.
    To flush the XP system Restore Points.

    Go to Start>Run and type msconfig. Press enter.

    When msconfig opens, click the Launch System Restore Button.
    On the next page, click the System Restore Settings link on the left.

    Check the box labelled 'Turn off System restore'.

    Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

    Note that all previous restore points will be lost.

    ==

    This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

    Include the link to the thread and detail why you need it reopened.

    If this is not your thread please start a New Topic.
This discussion has been closed.