Help me reomove spyware and hijack tools

Unknown · September 2006

Hi, mine is windows xp and i'm heavy broadband user. Recently my system dropped in processing speed and probably hit by some viruses and spywares. I scanned my sys with AVG free and it showed infected items which it failed to delete. two in registry.

spyware doctor didn't find anything :shakehead

This is my HijackThis log file

Logfile of HijackThis v1.99.1
Scan saved at 11:33:26 AM, on 9/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\DAP\DAP.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\DJ\hijak\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4EAE2070-5B93-6236-A33C-739C546C3F7C} - D:\WINDOWS\ikhhe1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Messenger\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gwiz] D:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C985004-C84C-4698-990C-10F4C6CC69A5}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C985004-C84C-4698-990C-10F4C6CC69A5}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C985004-C84C-4698-990C-10F4C6CC69A5}: NameServer = 192.168.1.1
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe

i tried scanning using Panda Active scan and it showed the follwing entries

Potentially unwanted tool:Application/Restart Not disinfected D:\WINDOWS\system32\Tools\Restart.exe
Potentially unwanted tool:Application/FunWeb Not disinfected D:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Hacktool:Exploit/LoadImage Not disinfected D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\WHGF4ZGR\p[1].anr
Spyware:Cookie/Mediaplex Not disinfected D:\Documents and Settings\Praveen\Cookies\praveen@mediaplex[1].txt
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Praveen\Cookies\praveen@ad.yieldmanager[2].txt
Spyware:Cookie/Tribalfusion Not disinfected D:\Documents and Settings\Praveen\Cookies\praveen@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Zedo Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.c5.zedo.com/]
Spyware:Cookie/Zedo Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.zedo.com/]
Spyware:Cookie/FastClick Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[media.fastclick.net/]
Spyware:Cookie/FastClick Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/YieldManager Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Com.com Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Serving-sys Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/Adtech Not disinfected D:\Documents and Settings\Praveen\Application Data\Mozilla\Firefox\Profiles\cgt90kuu.default\cookies.txt[.adtech.de/]

So what next to proceed?

Thanks in advance

sparkynshortmedia · September 2006

Someone out there please help me.
When ever i start up AVG anti virus is alerting me of "Virus Found Small"
It points to a file in c:\anp.exe
and a trojan in my temp internet folder as p[1] which AVG failed to delete instead it prompts me to move to vault.

I have spyware doctor installed which shows me clean run.

I scanned my PC with Ad aware and it cleaned 11 registry files.
When i scan with Spybot, it scans for a while and restarts my PC.
I've tried it for several times.

With Panda Activescan ,

Potentially unwanted tool:Application/Restart Not disinfected D:\WINDOWS\system32\Tools\Restart.exe
Potentially unwanted tool:Application/FunWeb Not disinfected D:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Hacktool:Exploit/LoadImage Not disinfected D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\KDIFWL6N\p[1].anr
Hacktool:Exploit/LoadImage Not disinfected D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\TW43D1OP\p[1].anr
Spyware:Cookie/myaffiliateprogram Not disinfected D:\Documents and Settings\Praveen\Cookies\praveen@www.myaffiliateprogram[1].txt

and Kaspersky found

24 viruses and
56 infected objects

C:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP12\change.log Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SYSTEM Object is locked skipped
D:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
D:\WINDOWS\system32\config\DEFAULT Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\ntsystem.exe Infected: Trojan-Clicker.Win32.Agent.hg skipped
D:\WINDOWS\Temp\ZLT00d88.TMP Object is locked skipped
D:\WINDOWS\Temp\ZLT00d8b.TMP Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Debug\oakley.log Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\HOME.ldb Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
D:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Praveen\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Praveen\Local Settings\Temp\Perflib_Perfdata_6f8.dat Object is locked skipped
D:\Documents and Settings\Praveen\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Praveen\Local Settings\History\History.IE5\MSHist012006091120060912\index.dat Object is locked skipped
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\KDIFWL6N\p[1].anr Infected: Trojan-Downloader.Win32.Ani.c skipped
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\I11UZI5O\top[1].exe Object is locked skipped
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\CT6B412F\ads[2].htm Object is locked skipped
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\TW43D1OP\p[1].anr Infected: Trojan-Downloader.Win32.Ani.c skipped
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\TW43D1OP\count[1].htm/QQ.EXE Infected: Trojan-Downloader.Win32.Agent.ue skipped
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\TW43D1OP\count[1].htm CHM: infected - 1 skipped
D:\Documents and Settings\Praveen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Praveen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Praveen\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Praveen\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Internet Explorer\PLUGINS\system.jmp Infected: Trojan-PSW.Win32.Delf.oc skipped
D:\Program Files\Internet Explorer\PLUGINS\system.sys Infected: Trojan-PSW.Win32.Delf.oc skipped
D:\Program Files\Internet Explorer\IEXPLORE.Dat Infected: Trojan-PSW.Win32.Delf.pj skipped
D:\Program Files\Internet Explorer\IEXPLORE.Tmp Infected: Trojan-PSW.Win32.Delf.pj skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP1\A0000006.DLL Infected: not-a-virus:AdWare.Win32.LinkOptimizer.a skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP8\A0003884.exe Infected: Trojan-Clicker.Win32.Agent.hg skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0005982.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0005983.sys Infected: Trojan-PSW.Win32.Delf.oc skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0005994.scr Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0005995.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0005999.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.al skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006000.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006001.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006002.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.af skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006004.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006005.SCR Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006006.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.v skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006007.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006008.EXE Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006009.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006010.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.aq skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006011.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006013.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.w skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006014.DLL Infected: not-a-virus:AdWare.Win32.IWon.a skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006016.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006017.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.as skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006018.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ad skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006020.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006021.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.ab skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006022.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006023.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006092.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006102.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006103.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006104.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006105.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006106.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006108.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.an skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP11\snapshot\MFEX-1.DAT Infected: Trojan-PSW.Win32.Delf.pj skipped
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP12\change.log Object is locked skipped
E:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP12\change.log Object is locked skipped
E:\setup\illusionxs.exe/WISE0014.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
E:\setup\illusionxs.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
E:\setup\illusionxs.exe/WISE0016.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
E:\setup\illusionxs.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
E:\setup\illusionxs.exe WiseSFX: infected - 4 skipped
E:\setup\illusionxs.exe WiseSFX Dropper: infected - 4 skipped
E:\setup\angry123.exe/WISE0014.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
E:\setup\angry123.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
E:\setup\angry123.exe/WISE0016.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
E:\setup\angry123.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
E:\setup\angry123.exe WiseSFX: infected - 4 skipped
E:\setup\angry123.exe WiseSFX Dropper: infected - 4 skipped
F:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP12\change.log Object is locked skipped

I have installed Zone Alarm

Finally, here is my HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 5:17:15 PM, on 9/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\igfxtray.exe
D:\WINDOWS\System32\hkcmd.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\WINDOWS\System32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Praveen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4EAE2070-5B93-6236-A33C-739C546C3F7C} - D:\WINDOWS\ikhhe1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Messenger\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gwiz] D:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C985004-C84C-4698-990C-10F4C6CC69A5}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C985004-C84C-4698-990C-10F4C6CC69A5}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C985004-C84C-4698-990C-10F4C6CC69A5}: NameServer = 192.168.1.1
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

Trogan · September 2006

Hi, you have a new infection and I don't think there is a tool available for it yet. Lets try this:

First, I don't see any indication of a Firewall in your HijackThis log. This may be because:

(1.) You are using Windows Firewall or a hardware Firewall.
(2.) You are using a Firewall of an unknown vendor.
(3.) You are using a Firewall, but it is disabled for unknown reasons
(4.) You don't use any firewall at all.

In the case you don't have a Firewall, please download one from the list below - They are Free!

Zone Alarm << I recommend this
Sunbelt Kerio PF
Outpost Firewall

=====

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!

Double-click ATF Cleaner.exe to open it.

Under Main select the following:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=====

You may wish to Print or Save the following instructions, as the internet will not be available once in Safe Mode!

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

Install Ewido by double clicking the installer.
Follow the prompts. Make sure that Launch Ewido is checked.
On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
  Note: If the Update now option is grayed out, follow the steps below.
  - Click on Update on the toolbar.
  - Under Manual update, click on the Start Update button.
  - Wait until you see the Update succesfull message.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

Reboot back into Normal Mode, and post a new HJT log, along with the Ewido log.

sparkynshortmedia · September 2006

Thanks for your response.
I've done what u asked me to do.

Regarding firewall, i got zone alarm installed even before posting my previous HJT log.
Don't know how it is missed in the log.

Here is my New HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:25:42 PM, on 9/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\System32\igfxtray.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\hkcmd.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Documents and Settings\Praveen\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
D:\Documents and Settings\Praveen\Desktop\Ewido\ewido anti-spyware 4.0\ewido.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\WINDOWS\System32\wdfmgr.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Documents and Settings\Praveen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.rd.companion.yahoo.com/slv/ycheck/as/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://in.rd.companion.yahoo.com/slv/ycheck/as/*http://search.yahoo.com/search?p=%s
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {4EAE2070-5B93-6236-A33C-739C546C3F7C} - D:\WINDOWS\ikhhe1.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Messenger\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gwiz] D:\WINDOWS\System32\ntsystem.exe
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!ewido] "D:\Documents and Settings\Praveen\Desktop\Ewido\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\PROGRA~1\YAHOO!\COMMON\yhexbmesin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C985004-C84C-4698-990C-10F4C6CC69A5}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{3C985004-C84C-4698-990C-10F4C6CC69A5}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C985004-C84C-4698-990C-10F4C6CC69A5}: NameServer = 192.168.1.1
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - D:\Documents and Settings\Praveen\Desktop\Ewido\ewido anti-spyware 4.0\guard.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

EWIDO scan Report.

ewido anti-spyware - Scan Report

+ Created at: 9:18:17 PM 9/11/2006

+ Scan result:

D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP1\A0000006.DLL -> Adware.LinkOptimizer : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006102.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006103.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006104.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006105.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP9\A0006106.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
D:\Program Files\Yahoo!\Messenger\ycomp.dll -> Adware.Yahoo : Cleaned with backup (quarantined).
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\CLIV8X2R\137[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\CLIV8X2R\popup_code[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\I11UZI5O\137[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\3I8J3POH\newtan[1].js -> Hijacker.Agent.a : Cleaned with backup (quarantined).
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\I11UZI5O\Ntan[1].js -> Hijacker.Agent.a : Cleaned with backup (quarantined).
D:\Documents and Settings\Praveen\Local Settings\Temporary Internet Files\Content.IE5\TW43D1OP\Ntan[1].js -> Hijacker.Agent.a : Cleaned with backup (quarantined).
D:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{CB60C6C3-7A11-4002-AFBE-B9AFED45DF17}\RP11\snapshot\MFEX-1.DAT -> Logger.Delf.ps : Cleaned with backup (quarantined).
[736] D:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : Error during cleaning.
[928] D:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : Error during cleaning.
[944] D:\Program Files\Internet Explorer\IEXPLORE.Dat -> Logger.Delf.ps : Error during cleaning.
D:\Documents and Settings\Praveen\Cookies\praveen@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
D:\Documents and Settings\Praveen\Cookies\praveen@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
D:\Program Files\Internet Explorer\PLUGINS\system.jmp -> Trojan.Delf.oc : Cleaned with backup (quarantined).

::Report end

Yahoo toolbar equipped with pop up blocker keeps on blocking popups as of now in an hour it has blocked 1034 popups and AVG is alerting me about the Trojans in my temp directory which prompts me to move to vault.

After installing all these software, my PC is terribly slow.
So whats next?

Trogan · September 2006

You have a rootkit on your PC. Rootkits are very difficult to remove because they "hide" themselves from other tools. You can never be sure that you have got all of the rootkit.

If this was my PC I would format and reinstall the operating system

Let me know what you want to do

Help me reomove spyware and hijack tools

Comments