Getting rid of shopping waizard need help with someone to look at log file wut i do?

Unknown · December 2005

here is Hijack this profile wut do i do now? i also ran adware and SS now i need to know wut to do with it to get rid of shopping wizard!
!
Logfile of HijackThis v1.99.1
Scan saved at 6:27:51 PM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\ipts32.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\ehome\ehtray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\4.tmp.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\WINDOWS\ntep.exe
F:\WINDOWS\system32\dwwin.exe
F:\Documents and Settings\Alex Gomez\Desktop\Hijak this\HijackThis.exe
F:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\seqjx.dll/sp.html#40078
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\seqjx.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\seqjx.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\seqjx.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\seqjx.dll/sp.html#40078
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\seqjx.dll/sp.html#40078
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {1E647B7A-EC2A-37E3-8BD3-75DEF011D1A2} - F:\WINDOWS\system32\netvz32.dll (file missing)
O2 - BHO: Class - {2B60427A-478D-3AC3-AB7A-CB77D3C43454} - F:\WINDOWS\d3rw.dll (file missing)
O2 - BHO: Class - {4345094B-D54F-3ADB-E43E-5C54543C2100} - F:\WINDOWS\appsp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {545458DF-D4E5-5996-881B-C16F72DD5FF4} - F:\WINDOWS\system32\ieqq32.dll (file missing)
O2 - BHO: Class - {5FEDC98C-99C9-9B34-BD6C-E567DD3175C2} - F:\WINDOWS\mfcfh32.dll
O2 - BHO: Class - {64BC7D77-4AA1-8991-2D79-116794A9DB1B} - F:\WINDOWS\javain32.dll
O2 - BHO: Class - {827C372D-9F1E-0A71-C88F-75CE368DF56B} - F:\WINDOWS\system32\ipth.dll
O2 - BHO: Class - {AA44A5DE-979B-B3E7-BB11-CE4EC3DD4FFA} - F:\WINDOWS\mskc32.dll (file missing)
O2 - BHO: Class - {B29A8F6E-CBCD-2C45-A18F-CC06041BB1C5} - F:\WINDOWS\system32\atlsf.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F8D02D56-1011-675D-ACC9-C07B02C902AB} - F:\WINDOWS\netwv32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [3.tmp] F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKLM\..\Run: [4.tmp] F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [crwm32.exe] F:\WINDOWS\crwm32.exe
O4 - HKLM\..\Run: [3.tmp.exe] F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKLM\..\Run: [4.tmp.exe] F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [AdwareAlert] F:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [ntep.exe] F:\WINDOWS\ntep.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133664991803
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - F:\Documents and Settings\Alex Gomez\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Crunchie · December 2005

Download CWShredder 2.19 from here.

Download\'SpSeHjfix\' to the desktop and then
right click a blank part of the desktop and select new folder, call it spfix
unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Run the shredder and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

Reboot and post a fresh HJT log and the log that was created by 'SpSeHjfix'.

sephroth100 · December 2005

ok i ran sp fix but it didnt reboot left it on for 1 hour but it still has a log ill post it all anyways.

(12/11/05 1:39:22 PM) SPSeHjFix started v1.1.2
(12/11/05 1:39:22 PM) OS: WinXP Service Pack 2 (5.1.2600)
(12/11/05 1:39:22 PM) Language: english
(12/11/05 1:39:22 PM) Win-Path: F:\WINDOWS
(12/11/05 1:39:22 PM) System-Path: F:\WINDOWS\system32
(12/11/05 1:39:22 PM) Temp-Path: F:\DOCUME~1\ALEXGO~1\LOCALS~1\Temp\

(12/11/05 1:39:40 PM) SPSeHjFix started v1.1.2
(12/11/05 1:39:40 PM) OS: WinXP Service Pack 2 (5.1.2600)
(12/11/05 1:39:40 PM) Language: english
(12/11/05 1:39:40 PM) Win-Path: F:\WINDOWS
(12/11/05 1:39:40 PM) System-Path: F:\WINDOWS\system32
(12/11/05 1:39:40 PM) Temp-Path: F:\DOCUME~1\ALEXGO~1\LOCALS~1\Temp\
(12/11/05 1:39:49 PM) Disinfection started
(12/11/05 1:39:49 PM) Bad-Dll(IEP): f:\windows\system32\nfyym.dll
(12/11/05 1:39:49 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:39:49 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:39:49 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://f:\windows\system32\nfyym.dll/sp.html#40078
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://f:\windows\system32\nfyym.dll/sp.html#40078
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://f:\windows\system32\nfyym.dll/sp.html#40078
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://f:\windows\system32\nfyym.dll/sp.html#40078
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://f:\windows\system32\nfyym.dll/sp.html#40078
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://f:\windows\system32\nfyym.dll/sp.html#40078
(12/11/05 1:39:49 PM) Stealth-String not found
(12/11/05 1:39:49 PM) No locked Files to delete. End without Reboot
(12/11/05 1:39:53 PM) Disinfection started
(12/11/05 1:39:53 PM) Bad-Dll(IEP): f:\windows\system32\nfyym.dll
(12/11/05 1:39:53 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:39:53 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:39:53 PM) Bad IE-pages: (none)
(12/11/05 1:39:53 PM) Stealth-String not found
(12/11/05 1:39:53 PM) No locked Files to delete. End without Reboot
(12/11/05 1:39:53 PM) Disinfection started
(12/11/05 1:39:53 PM) Bad-Dll(IEP): f:\windows\system32\nfyym.dll
(12/11/05 1:39:53 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:39:53 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:39:53 PM) Bad IE-pages: (none)
(12/11/05 1:39:53 PM) Stealth-String not found
(12/11/05 1:39:53 PM) No locked Files to delete. End without Reboot

(12/11/05 1:40:56 PM) SPSeHjFix started v1.1.2
(12/11/05 1:40:56 PM) OS: WinXP Service Pack 2 (5.1.2600)
(12/11/05 1:40:56 PM) Language: english
(12/11/05 1:40:56 PM) Win-Path: F:\WINDOWS
(12/11/05 1:40:56 PM) System-Path: F:\WINDOWS\system32
(12/11/05 1:40:56 PM) Temp-Path: F:\DOCUME~1\ALEXGO~1\LOCALS~1\Temp\
(12/11/05 1:40:58 PM) Disinfection started
(12/11/05 1:40:58 PM) Bad-Dll(IEP): (not found)
(12/11/05 1:40:58 PM) Bad-Dll(IEP) in BHO: (not found)
(12/11/05 1:40:58 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:40:58 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:40:58 PM) Bad IE-pages: (none)
(12/11/05 1:40:58 PM) Stealth-String not found
(12/11/05 1:40:58 PM) Not infected->END

(12/11/05 1:42:04 PM) SPSeHjFix started v1.1.2
(12/11/05 1:42:04 PM) OS: WinXP Service Pack 2 (5.1.2600)
(12/11/05 1:42:04 PM) Language: english
(12/11/05 1:42:04 PM) Win-Path: F:\WINDOWS
(12/11/05 1:42:04 PM) System-Path: F:\WINDOWS\system32
(12/11/05 1:42:04 PM) Temp-Path: F:\DOCUME~1\ALEXGO~1\LOCALS~1\Temp\
(12/11/05 1:42:06 PM) Disinfection started
(12/11/05 1:42:06 PM) Bad-Dll(IEP): (not found)
(12/11/05 1:42:06 PM) Bad-Dll(IEP) in BHO: (not found)
(12/11/05 1:42:06 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:42:06 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:42:06 PM) Bad IE-pages: (none)
(12/11/05 1:42:06 PM) Stealth-String not found
(12/11/05 1:42:06 PM) Not infected->END

(12/11/05 1:44:35 PM) SPSeHjFix started v1.1.2
(12/11/05 1:44:35 PM) OS: WinXP Service Pack 2 (5.1.2600)
(12/11/05 1:44:35 PM) Language: english
(12/11/05 1:44:35 PM) Win-Path: F:\WINDOWS
(12/11/05 1:44:35 PM) System-Path: F:\WINDOWS\system32
(12/11/05 1:44:35 PM) Temp-Path: F:\DOCUME~1\ALEXGO~1\LOCALS~1\Temp\
(12/11/05 1:44:38 PM) Disinfection started
(12/11/05 1:44:38 PM) Bad-Dll(IEP): (not found)
(12/11/05 1:44:38 PM) Bad-Dll(IEP) in BHO: (not found)
(12/11/05 1:44:38 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:44:38 PM) UBF: 8 - UBB: 12 - UBR: 13
(12/11/05 1:44:38 PM) Bad IE-pages: (none)
(12/11/05 1:44:38 PM) Stealth-String not found
(12/11/05 1:44:38 PM) Not infected->END

Logfile of HijackThis v1.99.1
Scan saved at 2:29:54 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\ipts32.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\ehome\ehtray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\WINDOWS\sysiq.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\WINDOWS\system32\wuauclt.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Alex Gomez\Desktop\Hijak this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {6349FEE7-5F15-A825-5C1F-85D9535DF909} - F:\WINDOWS\system32\ipsc32.dll
O2 - BHO: Class - {827C372D-9F1E-0A71-C88F-75CE368DF56B} - F:\WINDOWS\system32\ipth.dll
O2 - BHO: Class - {99E151A3-83AD-2839-9875-D85435DB3675} - F:\WINDOWS\system32\appgw.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [4.tmp] F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [3.tmp.exe] F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKLM\..\Run: [AdwareAlert] F:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [sysiq.exe] F:\WINDOWS\sysiq.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133664991803
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - F:\WINDOWS\ipts32.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - F:\Documents and Settings\Alex Gomez\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Crunchie · December 2005

Can you please do the following.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

AdwareAlert

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u ipsc32.dll
regsvr32 /u ipth.dll
regsvr32 /u appgw.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Go to Start>Run and type in services.msc and hit enter.

Now, locate and 'stop' the following services, if present:

Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) owner ... (F:\WINDOWS\ipts32.exe)

Look carefully, since the name of the service (above) can be anywhere in the entry; also be careful not to 'stop' any required system services. Once stopped, set this service to disabled.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

F:\WINDOWS\ipts32.exe
F:\WINDOWS\sysiq.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\leadf.dll/sp.html#40078
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {6349FEE7-5F15-A825-5C1F-85D9535DF909} - F:\WINDOWS\system32\ipsc32.dll
O2 - BHO: Class - {827C372D-9F1E-0A71-C88F-75CE368DF56B} - F:\WINDOWS\system32\ipth.dll
O2 - BHO: Class - {99E151A3-83AD-2839-9875-D85435DB3675} - F:\WINDOWS\system32\appgw.dll

O4 - HKLM\..\Run: [4.tmp] F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\4.tmp.exe
O4 - HKLM\..\Run: [3.tmp.exe] F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\3.tmp.exe
O4 - HKLM\..\Run: [AdwareAlert] F:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKLM\..\Run: [sysiq.exe] F:\WINDOWS\sysiq.exe

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - F:\WINDOWS\ipts32.exe

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

folders...

F:\Program Files\AdwareAlert

files...

F:\WINDOWS\ipts32.exe
F:\WINDOWS\sysiq.exe
F:\WINDOWS\system32\leadf.dll
F:\WINDOWS\system32\ipsc32.dll
F:\WINDOWS\system32\ipth.dll
F:\WINDOWS\system32\appgw.dll
F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\4.tmp.exe
F:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\3.tmp.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

sephroth100 · December 2005

i couldnt remove adware from program list did it manualy couldnt find i also couldnt remove Shopping Wizard and wasnt able to find
regsvr32 /u ipsc32.dll
regsvr32 /u ipth.dll
regsvr32 /u appgw.dll
stopped network security (nss) couldnt stop process ipts32.exe but heres new log.
Logfile of HijackThis v1.99.1
Scan saved at 4:31:56 PM, on 12/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\d3jt32.exe
F:\WINDOWS\ehome\ehtray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\WINDOWS\cryv32.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Documents and Settings\Alex Gomez\Desktop\Hijak this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\ttwen.dll/sp.html#40078
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\ttwen.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\ttwen.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\ttwen.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\ttwen.dll/sp.html#40078
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\ttwen.dll/sp.html#40078
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DB18D626-27BB-9CC6-9A93-CF0127F28A43} - F:\WINDOWS\system32\mfcis32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [cryv32.exe] F:\WINDOWS\cryv32.exe
O4 - HKLM\..\RunOnce: [d3jt32.exe] F:\WINDOWS\d3jt32.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133664991803
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - F:\WINDOWS\ipts32.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - F:\Documents and Settings\Alex Gomez\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Crunchie · December 2005

Run CWShredder and press the *fix,* not scan. Close all browser and explorer windows before hitting the fix button.

===============

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

===============

Download AboutBuster 5:

http://www.besttechie.net/tools/AboutBuster5.zip
http://www.malwarebytes.biz/AboutBuster5.zip

Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.

Click Update. This will start updating AboutBuster with the latest definition database.

Once it's done updating and you see that dialog, click Ok.

Close AboutBuster.

Reboot into safe mode following the instructions here.

Start AboutBuster and click Begin Removal.

When the scan is done, click Ok.

Run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

sephroth100 · December 2005

ok heres is HJT log and Ewido log
Logfile of HijackThis v1.99.1
Scan saved at 9:52:21 PM, on 12/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ewido\security suite\ewidoguard.exe
F:\WINDOWS\ehome\ehtray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Documents and Settings\Alex Gomez\Desktop\hijakthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {49CB795A-4D6B-373C-0880-D8EDECE1F536} - F:\WINDOWS\system32\ntia.dll (file missing)
O2 - BHO: Class - {7382945A-DEFF-E060-35E9-E407FEE2E5E9} - F:\WINDOWS\msmr.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {DB18D626-27BB-9CC6-9A93-CF0127F28A43} - F:\WINDOWS\system32\mfcis32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [cryv32.exe] F:\WINDOWS\cryv32.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133664991803
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - F:\WINDOWS\d3jt32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - F:\Documents and Settings\Alex Gomez\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

now Ewido

ewido security suite - Scan report

+ Created on: 9:42:49 PM, 12/13/2005
+ Report-Checksum: 756B6B1B

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{09312E20-8C50-C241-742B-35F21EDA9875} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2621D1BF-0A92-2D9C-E595-02A9C3F76F46} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{966FA744-197F-E95E-EB31-73BE39619DE2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EC6CC6A4-2DE4-7D97-7906-9D8567369627} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.6:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.7:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.21:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.23:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.24:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.39:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.40:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.41:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.42:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.43:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.46:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.47:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.48:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.49:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.55:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.56:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.57:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.58:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.59:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.85:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.86:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.87:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.88:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.91:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.92:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.93:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.105:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.106:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.107:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.174:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.181:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.198:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.199:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Pro-market : Cleaned with backup
:mozilla.200:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.217:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.218:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.219:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.220:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.221:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.234:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.237:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.238:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.239:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.240:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.241:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.242:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.243:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.244:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.274:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.275:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.281:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.282:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.283:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.284:F:\Documents and Settings\Alex Gomez\Application Data\Mozilla\Firefox\Profiles\mdduptzx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Cookies\alex [email]gomez@www.myaffiliateprogram[1].txt[/email] -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Desktop\hijakthis\backups\backup-20051213-170810-418.dll -> Downloader.WinShow.bg : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Desktop\hijakthis\backups\backup-20051213-170810-427.dll -> Downloader.WinShow.bg : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\10.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\11.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\12.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\13.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\14.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\15.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\16.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\17.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\18.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\19.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\1A.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\1B.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\1C.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\1D.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\1E.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\1F.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\2.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\20.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\21.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\22.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\23.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\24.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\25.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\26.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\27.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\28.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\29.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\2A.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\2B.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\2C.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\3.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\3B1.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\3B2.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\4.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\5.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\6.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\7.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\8.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\9.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\A.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\B.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\C.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\D.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\E.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Alex Gomez\Local Settings\Temp\F.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Frank Gomez\Local Settings\Temp\1.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Frank Gomez\Local Settings\Temp\2.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Frank Gomez\Local Settings\Temp\3.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Frank Gomez\Local Settings\Temp\4.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Cookies\monique [email]quezada@msnportal.112.2o7[1].txt[/email] -> Spyware.Cookie.2o7 : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\1.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\10.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\11.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\2.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\3.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\4.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\6.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\7.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\8.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\9.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\A.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\B.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\C.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\D.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\E.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Monique Quezada\Local Settings\Temp\F.tmp -> Trojan.Small.ga : Cleaned with backup
F:\Documents and Settings\Nichole\Cookies\nichole@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
F:\WINDOWS\atlrp.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\clock.avi:ddtef -> Downloader.WinShow.bg : Cleaned with backup
F:\WINDOWS\control.ini:izzye -> Downloader.WinShow.bg : Cleaned with backup
F:\WINDOWS\crlp.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\cryv32.exe -> Downloader.Agent.td : Cleaned with backup
F:\WINDOWS\DirectX.log:apibc -> Downloader.WinShow.bg : Cleaned with backup
F:\WINDOWS\DirectX.log:gfpcw -> Downloader.Agent.td : Cleaned with backup
F:\WINDOWS\explorer.scf:lbuwv -> Downloader.Agent.td : Cleaned with backup
F:\WINDOWS\KB885836.log:xolek -> Downloader.WinShow.bg : Cleaned with backup
F:\WINDOWS\KB890859.log:aihui -> Downloader.Agent.td : Cleaned with backup
F:\WINDOWS\KB899587.log:yijya -> Downloader.Agent.td : Cleaned with backup
F:\WINDOWS\KB902841.log:npzgd -> Downloader.WinShow.bg : Cleaned with backup
F:\WINDOWS\msmr.dll -> Downloader.WinShow.bg : Cleaned with backup
F:\WINDOWS\ntbtlog.txt:mmjhv -> Downloader.Agent.td : Cleaned with backup
F:\WINDOWS\nttx32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\system.ini:mirio -> Downloader.WinShow.bg : Cleaned with backup
F:\WINDOWS\system32\appso.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\system32\appzd32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\system32\lpufs.dll -> Adware.SearchPage : Cleaned with backup
F:\WINDOWS\system32\mfchu32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\system32\mfcsu32.exe -> Trojan.Agent.bi : Cleaned with backup
F:\WINDOWS\system32\uocyn.dll -> Adware.SearchPage : Cleaned with backup
F:\WINDOWS\ttwen.dll -> Adware.SearchPage : Cleaned with backup

::Report End

Crunchie · December 2005

Can you please do the following.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://F:\WINDOWS\system32\lpufs.dll/sp.html#40078

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {49CB795A-4D6B-373C-0880-D8EDECE1F536} - F:\WINDOWS\system32\ntia.dll (file missing)
O2 - BHO: Class - {7382945A-DEFF-E060-35E9-E407FEE2E5E9} - F:\WINDOWS\msmr.dll (file missing)
O2 - BHO: Class - {DB18D626-27BB-9CC6-9A93-CF0127F28A43} - F:\WINDOWS\system32\mfcis32.dll (file missing)

O4 - HKLM\..\Run: [cryv32.exe] F:\WINDOWS\cryv32.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - F:\WINDOWS\d3jt32.exe" /s (file missing)

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

F:\WINDOWS\system32\lpufs.dll
F:\WINDOWS\cryv32.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

sephroth100 · December 2005

I love you Crunchie its amazing the things you can do with your mind thanks man its gone i think but in HJT theres a file called SFu uninstaler there file not found i couldnt get rid of it but o well i think the Shopping Wizard is gone just in case hertes log!

Logfile of HijackThis v1.99.1
Scan saved at 3:25:19 PM, on 12/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\eHome\ehRecvr.exe
F:\WINDOWS\eHome\ehSched.exe
F:\Program Files\ewido\security suite\ewidoctrl.exe
F:\Program Files\ewido\security suite\ewidoguard.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\dllhost.exe
F:\WINDOWS\ehome\ehtray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\WINDOWS\eHome\ehmsas.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Alex Gomez\Desktop\hijakthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] F:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133664991803
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - F:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - F:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartFinder Uninstall (SmartFinder_Uninstall) - Unknown owner - F:\Documents and Settings\Alex Gomez\Desktop\SFUninstaller.exe" service (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Crunchie · December 2005

Go to;

Start>>Run and type regedit
Press enter.
Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SmartFinder Uninstall (SmartFinder_Uninstall)

If SmartFinder Uninstall (SmartFinder_Uninstall) exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SmartFinder Uninstall (SmartFinder_Uninstall)

If LEGACY_SmartFinder Uninstall (SmartFinder_Uninstall) exists then right click on it and choose delete from the menu.

==

Delete SFUninstaller.exe if there and you should be ok.

==

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Getting rid of shopping waizard need help with someone to look at log file wut i do?

Comments