# Internet needs SPORDER.dll???



## judson04 (Jun 11, 2005)

I recently downloaded and have been using F-Secure anti virus which I got from a sponsered link from Microsoft.com. I also use microsoft anti spyware. Using one of the aformentioned, I think I deleted a system file or something that I needed. It was most likely with F-Secure, which was unable to disinfect most of my hundreds of files that were said to be infected, so I told the program to delete them. Now my AIM, mozilla, IE, give me error messages that say "Unable to locate Component...... This application has failed to start because SPORDER.dll was not found. Re-installing the application may fix the problem." I have tried doing a System Restore, after which it told me no changes were made to my computer. I cannot seem to find some kind of undo thing in either of the programs. My computer came with windows, and I don't have a copy to reinstall. Any ideas?


----------



## yto_daniel (Mar 25, 2005)

you could try downloading and replacing the file from here.
http://www.dll-files.com/dllindex/dll-files.shtml?sporder

Daniel - YourTechOnline.com technician


----------



## MFDnNC (Sep 7, 2004)

It is part of webhancer - a baddie

SpywareBlaster 3.4 http://majorgeeks.com/download2859.html
AdAware SE 1.06 http://www.majorgeeks.com/download506.html - * NEW *
SpyBot V1.4 http://www.majorgeeks.com/download2471.html * NEW *
MS AntiSpy - http://download.microsoft.com/downl...-fca2f2c6f0cc/MicrosoftAntiSpywareInstall.exe (XP and W2K only)

DL them (they are free), install them, *check each for their 
definition updates* and then run AdAware and Spybot, fixing anything 
they say.

In SpywareBlaster - Always enable all protection after updates
In SpyBot - After an update run immunize

Do these and reboot before the next step.

Then get HiJack This V1.99.1 http://thespykiller.co.uk/files/hijackthis_sfx.exe - double click the DL file
And let it extract to its default folder C:\Program FIles\HiJackThis, run it from there, *DO NOT fix* anything, post the log here.


----------



## judson04 (Jun 11, 2005)

Where do i put it? and how do I get it on my computer? I'm on my laptop right now.


----------



## MFDnNC (Sep 7, 2004)

See if it is in add/remove programs


----------



## Blitze105 (May 28, 2005)

Try a new antivirus first... if you are infected it needs to be fixed... 
http://www.dll-files.com/dllindex/dll-files.shtml?sporder 
There you may get that file if you are missing it. 
-blitze


----------



## judson04 (Jun 11, 2005)

I can't access the internet on my computer. It says "limited or no connectivity." My connection is fine cuz I'm on my laptop right now, but when I plug the cord that goes from the USB port of my desktop computer into the modem, reconnecting my destop computer, it even says "limited or no connectivity" on my laptop, but when I unplug the cord to my other computer, my laptop runs fine.


----------



## MFDnNC (Sep 7, 2004)

You need to remove some things, webhancer is a malware program - you want it off your system


----------



## MFDnNC (Sep 7, 2004)

That is a symptom of what webhancer does

You can try using this - DL http://www.cexx.org/lspfix.htm

Launch the LSP application, and click the "I know what I'm doing" checkbox.

Then click Finish.


----------



## judson04 (Jun 11, 2005)

I cannot access the internet though. Nothing involving the internet works


----------



## MFDnNC (Sep 7, 2004)

Use a floppy or burn a cd using your laptop


----------



## Blitze105 (May 28, 2005)

Actually itd be better to use ad aware, and spybot. put them on a disk then run em.. then put the .dll back. I think that'd fix your problem..
-blitze


----------



## judson04 (Jun 11, 2005)

Where do I put sporder.dll?


----------



## MFDnNC (Sep 7, 2004)

Blitze105 said:


> Actually itd be better to use ad aware, and spybot. put them on a disk then run em.. then put the .dll back. I think that'd fix your problem..
> -blitze


Blitze, quit contradicting me - that dll is part of malware and needs to be removed from the system!


----------



## yto_daniel (Mar 25, 2005)

sporder.dll properties:

General
Type of file: Application Extension
Opens with: Unknown application
Location: C:\WINDOWS\system32
Size: 8.26KB (8,464 bytes) (shows as 9KB in Explorer)
Size on disk: 12.0KB (12,288 bytes)
*Created: Monday, March 25, 2002[/]
Modified: Wednesday, October 03, 2001 1:22PM
Files version: 5.0.2066.1
Description: WinSock2 reorder service providers
Copyright: Copyright (C) Microsoft Corp. 1981-1999
Company: Microsoft Corporation
Internal Name: sporder.dll
Language: English (United States)
Original File name: sporder.dll
Product Name: Microsoft(R) Windows(R) 2000 Operating System

sporder.dll is a microsoft dll file.

Daniel - YourTechOnline.com technician*


----------



## MFDnNC (Sep 7, 2004)

Judson, if you do not want my advice to clean the mess of your system just let me know, but I guarntee you - you will have trouble with your system - or in your case continue to have trouble.


----------



## MFDnNC (Sep 7, 2004)

http://www.spyany.com/program/article_spy_rm_webHancer.html


----------



## judson04 (Jun 11, 2005)

So I mean, now I am getting conflicting advice. My computer is not running properly, nearly everything seems to need SPORDER.dll I cannot access the internet whatsoever. Someone please leave a slightly easier to understand list of things I need to do in order. I'm sorry to be a hassle, but my computer is pretty much useless right now.


----------



## yto_daniel (Mar 25, 2005)

There are 2 ways to resolve your problem, either download sporder.dll and put it back in C:\windows\system32, or follow MFDnSC's advice and download/Run the LSPfix, if you simply replace sporder.dll, I would also suggest running lspfix as mfdnsc's suggested so that you don't encounter this problem in the future. 

Daniel - YourTechOnline.com technician


----------



## judson04 (Jun 11, 2005)

what is the LSPfix again? how do I get it on there without the internet? thanks everyone


----------



## yto_daniel (Mar 25, 2005)

MFDnSC said:


> That is a symptom of what webhancer does
> 
> You can try using this - DL http://www.cexx.org/lspfix.htm
> 
> ...


follow the above instructions, copy the LSPfix to a floppy or cd, and then move it to the system that is not working properly.

Daniel - YourTechOnline.com technician


----------



## Blitze105 (May 28, 2005)

judson04 said:


> what is the LSPfix again? how do I get it on there without the internet? thanks everyone


Hello, 
I will break it down for you ok? You are on a comptuer right now, obviously accessing the internet. Go to the site i gave you, and download the zip file. Then insert a floppy disk and save the file to that disk. To do that, find where you downloaded the file to, then go to it and right click it. From there, click send to>, choose floppy A. Now, boot up the laptop? and put in the floppy disk once you're on the computer. Then do this, click:
*Start -> my computer -> C -> WIndows -> System32. * Minimize that.

Then go to:
*Start -> my computer -> Floppy A -> right click the file and hit copy. *

Hope that fixes it....
-blitze

PS
funny thing i don't have that .dll.. hmm
Then go to: 
*Start -> my documents.* Right click on emtpy space and hit paste. Now, double click the file and unzip it again to my documents. You will se a new .dll file in my documents now. Right click the new .dll file and then open the window what we minimzed. Right click and hit paste.


----------



## judson04 (Jun 11, 2005)

Thanks to everyone. ALl I did was put that DLL file back and my comp is now back on the internet. TO prevent things like this from happening again, is that a bad idea to tell my antivirus/antispyware software to delete files they say are bad? Is F-Secure not very good? Besides AVG/Norton (I have used free trials already) is there a better free antivirus software program? Also, should I use all of these that were mentioned in this thread? Spypot, Microsoft AS, Spy Doctor, Ad-ware something, and LPS fix regularly and do pretty much everything they tell me to do that sounds good? Also, how come system restore wouldn't fix the problem? I know I asked a lot of questions, sorry to take up so much time, but I will be done after these are answered. Thanks again!


----------



## MFDnNC (Sep 7, 2004)

You need to post a HiJackThis log


----------



## judson04 (Jun 11, 2005)

in addition to everything I said above? or instead of?


----------



## Blitze105 (May 28, 2005)

Use spybot, ad aware personal, spyblaster, and microsoft antispyware. For an AV i suggest avg.. it is completely free not just a trial .
-blitze


----------



## yto_daniel (Mar 25, 2005)

Now that your computer is back on the internet, you should be able to download the tools that MFDnSC previously suggested, and post a hijackthis log so that your machine can be properly cleaned. The presence of that sporder.dll file suggests that you may have a spyware problem that needs to be dealt with.

Daniel - YourTechOnline.com technician


----------



## MFDnNC (Sep 7, 2004)

yto_daniel said:


> Now that your computer is back on the internet, you should be able to download the tools that MFDnSC previously suggested, and post a hijackthis log so that your machine can be properly cleaned. The presence of that sporder.dll file suggests that you may have a spyware problem that needs to be dealt with.
> 
> Daniel - YourTechOnline.com technician


Thanks YTO


----------



## judson04 (Jun 11, 2005)

I will post my hijackthis log soon. I am installing all of those tools now. But you said, "the presence of that dll file...." I thought the dll file was good? It seems my computer doesn't work without it.


----------



## yto_daniel (Mar 25, 2005)

That file is a microsoft file, but some common spyware programs copy it onto your system for additional functionality of the spyware itself. It has legitimate uses in legitimate software(MSN explorer for example), but posting the hijackthis log will tell us if that is the case in your situation.

Daniel - YourTechOnline.com technician


----------



## judson04 (Jun 11, 2005)

Ok, just copied all the software. Should I run these AS programs before I scan with hijackthis so that maybe the programs can fix some of the problems first?


----------



## yto_daniel (Mar 25, 2005)

yes, update and run all the programs previously suggested, then post a hijackthis log.


----------



## judson04 (Jun 11, 2005)

During the installation for spybot, I checked under permanent protection "system set up protection" or something like that.. It wasn't checked in the default installation settings, was this a good idea?


----------



## judson04 (Jun 11, 2005)

It's teatimer or something.


----------



## MFDnNC (Sep 7, 2004)

Tea Timer is good - it warns you when anything is trying to cahnge the registry


----------



## judson04 (Jun 11, 2005)

I just ran ad-aware SE, and I was about to run spy bot, but after ad ware was finished deleting stuff now I'm getting this error message from spybot,, sthat says an important registry entry has been changed.. It's prompting me to allow or deny it, and either one that I click just brings the window back up.


----------



## MFDnNC (Sep 7, 2004)

That is teatimer reacting to AdAware's changes - allow it/them


----------



## judson04 (Jun 11, 2005)

I can't find where to allow. Also, spy doctor says I need to pay to remove the files or something like that. In addition, ad-aware has some stuff in quarantine, should I "delete archive" of stuff in the quarantine? if I delete the archive does that just delete like the record of it or the actual files?


----------



## MFDnNC (Sep 7, 2004)

Forget SpyDoctor

TeaTimer gives valid popups thats where the allow hapens

If Adaware says it bad delete it and forget about quarantine


----------



## Blitze105 (May 28, 2005)

spydoctor has been known to make fake entries... so you'll buy the product to "fix" the computer
-blitze


----------



## judson04 (Jun 11, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 8:57:19 PM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.exe
C:\head891238.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\F-Secure Anti-Virus\FSGUI\fsguiexe.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: SuperBar - {A46C26EE-78EE-456A-B85E-1D707F1CB82E} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKLM\..\Run: [Lsass] C:\aight.exe
O4 - HKLM\..\Run: [eTunnel] C:\head891238.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.13R] C:\head891238.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\DOCUME~1\Tyler\LOCALS~1\Temp\~compoundinst0\auto_update_loader.exe" /HideUninstall /HideDir /PC="CP.WILD" /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19d7634aa89e68149f05/netzip/RdxIE601.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/proactauthwb/internetwasherpro.cab
O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

anything need deletion?

to delete stuff do you do "fix selected"?


----------



## MFDnNC (Sep 7, 2004)

Blitze105 said:


> spydoctor has been known to make fake entries... so you'll buy the product to "fix" the computer
> -blitze


That was a lot of help


----------



## MFDnNC (Sep 7, 2004)

Download CWShredder http://www.intermute.com/products/cwshredder.html
Close all browser windows, 
Open cwshredder.exe then click "Fix" and let it run.

Download About:Buster from:
http://www.majorgeeks.com/download4289.html 
Double click aboutbuster.exe, click Update, click OK, click Start, then click OK.

Run ActiveScan online virus scan

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

Print this and boot to safe mode (Start tapping F8 at the first black screen after power up)
Fix these with HJT

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>

O2 - BHO: (no name) - SOFTWARE - (no file)

O3 - Toolbar: SuperBar - {A46C26EE-78EE-456A-B85E-1D707F1CB82E} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)

O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe

O4 - HKLM\..\Run: [Windows Services Hosts] svhosts.exe

O4 - HKLM\..\Run: [Lsass] C:\aight.exe

O4 - HKLM\..\Run: [eTunnel] C:\head891238.exe

O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.13R] C:\head891238.exe

O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\DOCUME~1\Tyler\LOCALS~1\Temp\~compoundinst0\auto_update_loader.exe" /HideUninstall /HideDir /PC="CP.WILD" /ForSupportedBrowsers /ShowLegalNote=nonbranded

O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe

O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/mini...ransporter.cab?

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/19d7634aa89e68...ip/RdxIE601.cab

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab. 
Make sure that "Show hidden files and folders" is checked. 
Also uncheck "Hide protected operating system files". 
Uncheck hide extensions
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files

C:\aight.exe
C:\head891238.exe
C:\DOCUMENTS AND SETTING\Tyler\LOCAL SETTINGS\Temp  all files and folders

Delete these folders

C:\Program Files\SuperBar

START  RUN  type in %temp% OK - Edit  Select all  File  Delete
Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp
Empty the recycle bin
Boot and post a new log

*Please give feedback on what worked/didnt work and the current status of your system*


----------



## dvk01 (Dec 14, 2002)

if you haven't already carried out the above advice could you please do this first

download suspicious file packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it & 
paste in this list of files and when it has created the archive on your desktop please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine the files

C:\WINDOWS\userint32.exe
C:\aight.exe
C:\head891238.exe
C:\WINDOWS\System32\svhosts.exe


----------



## dvk01 (Dec 14, 2002)

Oh and fix this entry in HJT as well please when you follow Mfdnsc's excellent advice 

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe


----------



## MFDnNC (Sep 7, 2004)

dvk01 said:


> Oh and fix this entry in HJT as well please when you follow Mfdnsc's excellent advice
> 
> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe


DVK you are too kind


----------



## judson04 (Jun 11, 2005)

dvk01 said:


> if you haven't already carried out the above advice could you please do this first
> 
> download suspicious file packer from http://www.safer-networking.org/en/tools/index.html and unzip it to desktop, open it &
> paste in this list of files and when it has created the archive on your desktop please upload that to http://www.thespykiller.co.uk/forum/index.php?board=1.0 so we can examine the files
> ...


I could not access the safer-networking link. So what should I go about first? sorry It took me so long, I've been working a lot and have been frustrated with this confounded computer and wanted a break from it. If no one responds pretty soon I'm probably going to head to bed, and I'll try you "excellent advice" tommorow afternoon. Thanks again for everyone's help.


----------



## judson04 (Jun 11, 2005)

a lot of the things you told me to delete I cannot find. Maybe a spyware progam deleted them or something, but when I uploaded these files to virusscan.jotti.org it said that they were 0 bytes and "a firewall or program of malware is likely prohibiting you from loading these files." and I cannot see c:\aight or userint32.exe. or the folder superbar in program files.


----------



## judson04 (Jun 11, 2005)

when I open C:\windows, the first things are all these weird folders that are lilke $NTuninstallB234234$. I still cannot see those files, but I searched for "aight" and found aight.exe-08Df....pf should I delete it?


----------



## dvk01 (Dec 14, 2002)

all these $NTuninstallB234234$ are windows uninstall files so lewave them alone 
the pf entries in the prefetch folder are harmless but it is OK to delete all the contents of the prefetch folder on a regular basis

Safer networking and all the other spybot domains seems to be down at the moment so I've uploaded a copy to my webspace on a temporary basis & you can get it from there

www.thespykiller.co.uk/files/sfp.zip


----------



## judson04 (Jun 11, 2005)

Now my display settings are on the lowest and there is no option to increase the resolution. Also, I have the archive of the files you requested, I don't understand how to upload it in your forum, all I see is how to paste a thread. What next?


----------



## dvk01 (Dec 14, 2002)

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files 
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files


----------



## dvk01 (Dec 14, 2002)

and also post a new hijack this log here so we can see exactly what is happening now 

when yopur resolution doesn't change it is normally something happened to graphics card drivers, but let's see what the log shows first


----------



## judson04 (Jun 11, 2005)

http://www.thespykiller.co.uk/forum/index.php?topic=351.0


----------



## judson04 (Jun 11, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 3:33:07 AM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\DOCUME~1\Tyler\LOCALS~1\Temp\~compoundinst0\auto_update_loader.exe" /HideUninstall /HideDir /PC="CP.WILD" /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/proactauthwb/internetwasherpro.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


----------



## judson04 (Jun 11, 2005)

Is PC OnPoint good? I just fixed problems it said I had.


----------



## dvk01 (Dec 14, 2002)

when I see this entry
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

it normally means that some start ups have been disabled using MSconfig

open msconfig and enable EVERYTHING on the start up tab and post a new full hijackthis log so we can check


----------



## dvk01 (Dec 14, 2002)

and I can't see any graphics card drivers running, which is quite unusual for XP so 

pleas do this 

open HJT, press config/misc tools and tick both boxes about empty & minor sections & press generate start up list, post that log back here as well please


----------



## judson04 (Jun 11, 2005)

My graphics are fixed now somehow, once I enabled all. here is the new hijack log

Logfile of HijackThis v1.99.1
Scan saved at 4:32:25 AM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\documents and settings\tranz\local settings\temp\yEuaaR.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\documents and settings\tranz\local settings\temp\n.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\asferror.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
F3 - REG:win.ini: load=??????	??????????
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Judson.D98NH621\Local Settings\Temp\qesTz.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\DOCUME~1\Tyler\LOCALS~1\Temp\~compoundinst0\auto_update_loader.exe" /HideUninstall /HideDir /PC="CP.WILD" /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ZHRM] C:\WINDOWS\ZHRM.exe
O4 - HKLM\..\Run: [yEuaaR] C:\documents and settings\tranz\local settings\temp\yEuaaR.exe
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [wFrS3mW] pngoops.exe
O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [vujzmvxkp] C:\WINDOWS\System32\ihiotdk.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\tyler\local settings\temp\fsg_4104a.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [Show meow download program] C:\Documents and Settings\All Users\Application Data\Thunk hole show meow\BendThunk.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\kxucbz.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [n] C:\documents and settings\tranz\local settings\temp\n.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [Lsass] C:\aight.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [JXEPZHU] C:\WINDOWS\JXEPZHU.exe
O4 - HKLM\..\Run: [ISAK] C:\WINDOWS\ISAK.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [hvwazH.exe] c:\windows\system32\hvwazH.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [eTunnel] C:\head891238.exe
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [dscqyigvkeh] C:\WINDOWS\System32\ihiotdk.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [CLxr7br] C:\windows\system32\CLxr7br.exe
O4 - HKLM\..\Run: [CIPVFM] C:\WINDOWS\CIPVFM.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [bokja] C:\WINDOWS\bokja.exe
O4 - HKLM\..\Run: [blpvlrdo] C:\WINDOWS\myjxlzyi.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.13R] C:\head891238.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [65909790c8d7] C:\WINDOWS\System32\asferror.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Awdzm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\Run: [WeatherCast] "C:\Program Files\WeatherCast\Weather.exe" /q
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [stupidping] \INTERN~1\multiexit.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [ho02RgaFi] ircshare.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: BullGuard Update.lnk = C:\Program Files\BullGuard\avxlive.exe
O4 - Global Startup: BullGuard.lnk = C:\Program Files\BullGuard\mgui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/proactauthwb/internetwasherpro.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


----------



## dvk01 (Dec 14, 2002)

I assume you are using F-secure antivirus so before we do anything else 

go to add/remove programs & uninstall any of these listed

spywarebegone
BullGuard
BearShare
My Daily Horoscope
Web Offer
Kazaa
Anything that says McAfee
Anything that says Norton or Symantec

SearchUpgrader
Spyware Stormer
Viewpoint
Winad Client
Save or Save Now
Envolvo
isearch
Anything that says P2P Networking probably 2 or 3 of them 

New dot net 

then reboot and open HJT & press config/misc tools/ uninstall manger/ press save list and post that so we can see what else is lurking there


----------



## judson04 (Jun 11, 2005)

I don't see any of those. Should I?


----------



## judson04 (Jun 11, 2005)

I deleted save, winad client, bull guard, norton, symmantec all by hand, I found them in program files and whatnot.


----------



## judson04 (Jun 11, 2005)

actually, bullguard won't let me delete it. nothing in c:\windows\temp will let me delete it, and there's a good amount of stuff.


----------



## dvk01 (Dec 14, 2002)

OK new HJT log and let's do it from scratch


----------



## judson04 (Jun 11, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 5:25:40 AM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\documents and settings\tranz\local settings\temp\yEuaaR.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\asferror.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
F3 - REG:win.ini: load=??????	??????????
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\DOCUME~1\Tyler\LOCALS~1\Temp\~compoundinst0\auto_update_loader.exe" /HideUninstall /HideDir /PC="CP.WILD" /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ZHRM] C:\WINDOWS\ZHRM.exe
O4 - HKLM\..\Run: [yEuaaR] C:\documents and settings\tranz\local settings\temp\yEuaaR.exe
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [wFrS3mW] pngoops.exe
O4 - HKLM\..\Run: [vujzmvxkp] C:\WINDOWS\System32\ihiotdk.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [updater] "C:\Program Files\MSN Apps\Updater\01.02.0000.2693\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\tyler\local settings\temp\fsg_4104a.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [Show meow download program] C:\Documents and Settings\All Users\Application Data\Thunk hole show meow\BendThunk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\kxucbz.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [n] C:\documents and settings\tranz\local settings\temp\n.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [Lsass] C:\aight.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [JXEPZHU] C:\WINDOWS\JXEPZHU.exe
O4 - HKLM\..\Run: [ISAK] C:\WINDOWS\ISAK.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [hvwazH.exe] c:\windows\system32\hvwazH.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [eTunnel] C:\head891238.exe
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [dscqyigvkeh] C:\WINDOWS\System32\ihiotdk.exe
O4 - HKLM\..\Run: [CIPVFM] C:\WINDOWS\CIPVFM.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [bokja] C:\WINDOWS\bokja.exe
O4 - HKLM\..\Run: [blpvlrdo] C:\WINDOWS\myjxlzyi.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.13R] C:\head891238.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [65909790c8d7] C:\WINDOWS\System32\asferror.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Awdzm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [stupidping] \INTERN~1\multiexit.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [ho02RgaFi] ircshare.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: BullGuard Update.lnk = C:\Program Files\BullGuard\avxlive.exe
O4 - Global Startup: BullGuard.lnk = C:\Program Files\BullGuard\mgui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/proactauthwb/internetwasherpro.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


----------



## dvk01 (Dec 14, 2002)

Some of the files won't exist so just make a note of any that say cannot delete and don't worry if Kllbox says does not seem to exist

Download AdAware SE 1.06 from http://www.lavasoft.com and install it if you haven't already got it. If you have it, then make sure it is updated and configured as described later in this post

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\userint32.exe
F3 - REG:win.ini: load=?????? ??????????
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Judson.D98NH621\Local Settings\Temp\qesTz.dll
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] "C:\DOCUME~1\Tyler\LOCALS~1\Temp\~compoundinst0\auto_update_loader.exe" /HideUninstall /HideDir /PC="CP.WILD" /ForSupportedBrowsers /ShowLegalNote=nonbranded

O4 - HKLM\..\Run: [ZHRM] C:\WINDOWS\ZHRM.exe
O4 - HKLM\..\Run: [yEuaaR] C:\documents and settings\tranz\local settings\temp\yEuaaR.exe
O4 - HKLM\..\Run: [Windows Service Manager] C:\WINDOWS\userint32.exe
O4 - HKLM\..\Run: [Winad Client] C:\Program Files\Winad Client\Winad.exe
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [WhenUSave] "C:\Program Files\Save\Save.exe"
O4 - HKLM\..\Run: [wFrS3mW] pngoops.exe
O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R
O4 - HKLM\..\Run: [wdskctl] C:\WINDOWS\wdskctl.exe
O4 - HKLM\..\Run: [vujzmvxkp] C:\WINDOWS\System32\ihiotdk.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Trickler] "c:\documents and settings\tyler\local settings\temp\fsg_4104a.exe"
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [Show meow download program] C:\Documents and Settings\All Users\Application Data\Thunk hole show meow\BendThunk.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\kxucbz.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [n] C:\documents and settings\tranz\local settings\temp\n.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [MPSExe] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [Lsass] C:\aight.exe
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [JXEPZHU] C:\WINDOWS\JXEPZHU.exe
O4 - HKLM\..\Run: [ISAK] C:\WINDOWS\ISAK.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [hvwazH.exe] c:\windows\system32\hvwazH.exe

O4 - HKLM\..\Run: [eTunnel] C:\head891238.exe
O4 - HKLM\..\Run: [eanth_system_patcher] C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe /Startup
O4 - HKLM\..\Run: [dscqyigvkeh] C:\WINDOWS\System32\ihiotdk.exe
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [CLxr7br] C:\windows\system32\CLxr7br.exe
O4 - HKLM\..\Run: [CIPVFM] C:\WINDOWS\CIPVFM.exe

O4 - HKLM\..\Run: [bokja] C:\WINDOWS\bokja.exe
O4 - HKLM\..\Run: [blpvlrdo] C:\WINDOWS\myjxlzyi.exe

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\BullGuard\\bdmcon.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.13R] C:\head891238.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\automove.exe

O4 - HKLM\..\Run: [65909790c8d7] C:\WINDOWS\System32\asferror.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Awdzm.exe

O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe

O4 - HKCU\..\Run: [stupidping] \INTERN~1\multiexit.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan

O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\System32\nssys32.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE

O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [ho02RgaFi] ircshare.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

O4 - Global Startup: BullGuard Update.lnk = C:\Program Files\BullGuard\avxlive.exe
O4 - Global Startup: BullGuard.lnk = C:\Program Files\BullGuard\mgui.exe

O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab

O16 - DPF: {86698251-D2C0-4D0F-A3E4-95CEF12F9F18} - http://64.156.188.99/iwasher/proact...etwasherpro.cab

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit we might ask you to submit those files for further examination a bit later on ]

C:\WINDOWS\userint32.exe
C:\Program Files\BullGuard\avxlive.exe
C:\Program Files\BullGuard\mgui.exe
C:\Program Files\BullGuard\\bdmcon.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\System32\ircshare.exe
C:\WINDOWS\System32\svhosts.exe
C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\WINDOWS\System32\nssys32.exe
C:\spywarebegone\SpywareBeGone.exe
C:\WINDOWS\System32\Awdzm.exe
C:\WINDOWS\System32\asferror.exe
C:\WINDOWS\System32\automove.exe
C:\head891238.exe
C:\WINDOWS\myjxlzyi.exe
C:\WINDOWS\bokja.exe
C:\WINDOWS\CIPVFM.exe
C:\windows\system32\CLxr7br.exe
C:\WINDOWS\System32\ihiotdk.exe
C:\PROGRA~1\ACCELE~1\SYSTEM~1\sys_alert.exe
c:\windows\system32\hvwazH.exe
C:\Program Files\syslaunch.exe
C:\WINDOWS\ISAK.exe
C:\WINDOWS\JXEPZHU.exe
C:\aight.exe
C:\documents and settings\tranz\local settings\temp\n.exe
C:\WINDOWS\System32\kxucbz.exe
C:\WINDOWS\System32\P2P Networking.exe
C:\Documents and Settings\All Users\Application Data\Thunk hole show meow\BendThunk.exe
C:\WINDOWS\ZHRM.exe
C:\documents and settings\tranz\local settings\temp\yEuaaR.exe
C:\WINDOWS\userint32.exe
C:\Program Files\Winad Client\Winad.exe
C:\Program Files\Save\Save.exe
C:\WINDOWS\System32\pngoops.exe
C:\WINDOWS\Temp\Adware\WebInstall.exe
C:\WINDOWS\wdskctl.exe
C:\WINDOWS\System32\ihiotdk.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Judson.D98NH621\Local Settings\Temp\qesTz.dll
c:\documents and settings\tyler\local settings\temp\fsg_4104a.exe
C:\DOCUME~1\Tyler\LOCALS~1\Temp\~compoundinst0\auto_update_loader.exe

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

*delete these folders *

C:\Program Files\BullGuard
C:\PROGRAM FILES\Web Offer
C:\Program Files\MNPAntiPopup
C:\PROGRAM FILES\MYDAILY HORROSCOPE
C:\spywarebegone
C:\Program Files\BearShare\
C:\PROGRAM FILES\ACCELERATION SOFTWARE
C:\Program Files\Kazaa
C:\PROGRAM FILES\MYWEBSEARCH
C:\Program Files\McAfee.com
C:\Program Files\Norton AntiVirus
C:\Program Files\Common files\SearchUpgrader
C:\Documents and Settings\All Users\Application Data\Thunk hole show meow
C:\Program Files\Spyware Stormer
C:\Program Files\Save
C:\Program Files\Viewpoint
C:\Program Files\Winad Client

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R48 30.05.2005 or a higher number/later date

Set up the Configurations as follows:

General Button
Safety:
Check (Green) all three.

Click on "Proceed"

Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click on "Scan Now"

Run the scanner using the Full Scan (Perform full system scan) mode.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

Reboot &

Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds

First press file and check for updates and then run it

Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination

Run an online antivirus check from at least one and preferably 2 of the following sites

http://www.kaspersky.com/beta?product=161744315 ( with this one as it's abeta product, they ask for a name & email, just put any email in and any name and company it isn't checked on and they have just used the standard beta page as a doorway to it ) 
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://www.freedom.net/viruscenter/onlineviruscheck.html
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

reboot again

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

Anything inside the C:\!submit folder which is where killbox should have made copies of all the files it deleted

the easy way is first go to c:\!submit and select all the files inside it, rightclick and send to compressed folder, that will make a zipped copy of all the files and then upload the zipped copy

then post a new hijackthis log to check what is left


----------



## judson04 (Jun 11, 2005)

thanks for you help. I'm running the virus scan now, I'll post a new HJT log soon. I couldn't find a lot of the files you told me to delete. And also, even when I start up in safe mode folders in C:\temp will not let me delete them because they are still in use. They are weird folders with long names of seeminging random numbers and letters. Should I delete Spyware Doctor and Spy Subtract and only use Microsoft AS/Ad-aware, or should I leave the others for their real-time protection?


----------



## judson04 (Jun 11, 2005)

Oh yeh, I forgot to tell you, while I was deleting files with Killbox, my computer went to this blue screen that was like terminal error computer will shut down or something like that. I had to hold the power button in or whatever you call that when you force the computer to turn off. I resumed after I restarted and everything seemed to go find. My computer has done this before, but I didn't know if it was something I should tell you. Cuz it happened right after I deleted one of the files you told me to.


----------



## judson04 (Jun 11, 2005)

When I run the panda scan it finds like 50-100 problems, and I fix them, and whe I restart it finds about the same number again.


----------



## judson04 (Jun 11, 2005)

When I run the panda scan it finds like 50-100 problems, and I fix them, and whe I restart it finds about the same number again.


----------



## MFDnNC (Sep 7, 2004)

Post a new log


----------



## judson04 (Jun 11, 2005)

Do I need to reboot in safe mode before I run the HJT scan?


----------



## judson04 (Jun 11, 2005)

if not then here. this is not in safe mode
by the way, I am now getting an error message that says Access violation at address 40008EFD in module 'rtl70.bpl' Read of Address 6F6E6D70

Logfile of HijackThis v1.99.1
Scan saved at 12:38:56 AM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\Spyware Doctor\liveupdate.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [65909790c8d7] C:\WINDOWS\System32\asferror.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Awdzm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


----------



## judson04 (Jun 11, 2005)

Should I fix with HJT these?

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKLM\..\Run: [65909790c8d7] C:\WINDOWS\System32\asferror.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Awdzm.exe

I'm not touching anything until you guys tell me, I'm just wondering if I'm learning these things that are bad.


----------



## judson04 (Jun 11, 2005)

wow the aforementioned error will not stop re-popping up, I'm going to reboot.


----------



## judson04 (Jun 11, 2005)

I deleted c:\windows\system32\svchost.exe cuz I thought it was spyware. Now my internet will not work at all, even system resotre said "it cannot help my ocmputer" i got an error message that said settings were disabling it or something. when I put the file back it still didn't work. I am on my laptop now


----------



## dvk01 (Dec 14, 2002)

if you somehow deleted c:\windows\system32\svchost.exe then the only thing to do now is reinstall windows as I don't know anyway to fix taht problem


----------



## judson04 (Jun 11, 2005)

I fixed it haha, with a fluke. I put it in a zip folder and then extracted it into system32. I'm back okn the internet, what do I do now? Another log or can you look at my last one?


----------



## dvk01 (Dec 14, 2002)

if you have that working then post a fresh HJT log and we'll go from there


----------



## judson04 (Jun 11, 2005)

Logfile of HijackThis v1.99.1
Scan saved at 7:00:24 PM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [65909790c8d7] C:\WINDOWS\System32\asferror.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Awdzm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


----------



## dvk01 (Dec 14, 2002)

are you still getting this error message
Access violation at address 40008EFD in module 'rtl70.bpl' Read of Address 6F6E6D70

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [65909790c8d7] C:\WINDOWS\System32\asferror.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Awdzm.exe


----------



## judson04 (Jun 11, 2005)

New HJT log after aforementioned fixes, ad aware/MS AS. Spy subtract is running now and http://www.freedom.net/viruscenter/onlineviruscheck/ctrlie.html is saying that www.freedom.net/viruscenter/onlineviruscheck/ctrlie.html some files "could be infected with an undknown fvirus one is c:\et3242423 another is c:\documents and settings\tracy\local settings\temporary internet files\content.IE5...et[1].exe, delete them?

Logfile of HijackThis v1.99.1
Scan saved at 8:43:34 AM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_2_0.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


----------



## judson04 (Jun 11, 2005)

spy subtract is finding a lot of "suspects" should I delete anything it doesn't like?


----------



## dvk01 (Dec 14, 2002)

let spysubtract delete anything it finds 

It's normally fairly accurate, check first though that it doesn't want to delete anything you want top keep, you can always post a log of what it finds first & we'll look it over 

and as to the others that freedom finds empty temp internet files and delete whatever it finds as infected taht look obvious

anything you are unsure of, make a note of file name & location and we can advise from there


----------



## judson04 (Jun 11, 2005)

Spy Subtract keeps failing when it comes to the deleting part. You told me to fix HJT thing that said run asferror.exe, I found asferror.dll, should I delete it? it's in system 32. Do I need to be in safe mode to run the programs?


----------



## dvk01 (Dec 14, 2002)

NO 

asferror.dll is a genuine windows file 

the asferror.exe is the dodgy one


----------



## dvk01 (Dec 14, 2002)

judson04 said:


> Spy Subtract keeps failing when it comes to the deleting part. You told me to fix HJT thing that said run asferror.exe, I found asferror.dll, should I delete it? it's in system 32. Do I need to be in safe mode to run the programs?


make a list of what spysubstract says needs deleting and can't fix , post here and we'll advise further


----------



## judson04 (Jun 11, 2005)

It worked finally. I was getting this error message "Runner Error: Invalid Backweb application id '4476..." I didn't have time to write it down cuz it closed. I kept getting it, but now it has stopped. I cannot get rid of altnet spyware. I've deleted it by hand and using multiple programs, and I keep getting results when I do spyware scans. My computer is running much better than when we first started, but I can tell it's still not as good as it could be. I'm going to update all my spyware software, run 2 of those online virus things again, run my AS software in safe mode, then I'll run a HJT in safe mode and post the log. Everytime I run HJT the one you always tell me to fix
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

is always there. Don't worry about responding until I post my next log. Thanks again...


----------



## judson04 (Jun 11, 2005)

What's a good free firewall? Read the message above too, but ignore the "don't worry about responding" cuz I don't know if I'm going to get a chance to do everything tonight.


----------



## judson04 (Jun 11, 2005)

Spyware Doctor log:

Infection Name Location Risk 
Grokster multiple Medium 
Altnet Software HKLM\SOFTWARE\Altnet Elevated 
Altnet Software HKLM\SOFTWARE\Altnet## Elevated 
Altnet Software HKLM\SOFTWARE\Altnet\Dashboard Elevated 
Altnet Software HKLM\SOFTWARE\Altnet\Dashboard## Elevated 
Altnet Software HKLM\SOFTWARE\Altnet\Dashboard\Messages Elevated 
Altnet Software HKLM\SOFTWARE\Altnet\Dashboard\Settings Elevated 
BearShare HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17} Info 
BearShare HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17}## Info 
BearShare HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17}##Version Info 
BearShare HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17}##ComponentID Info 
BearShare HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17}##IsInstalled Info 
BearShare HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5F95E1AF-2620-4f15-BDF9-7FDCE4607E17}##Locale Info 
Common Components for ILookup variants HKCU\eeennn Medium 
Common Components for ILookup variants HKCU\eeennn## Medium 
DelfinProject HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer Elevated 
DelfinProject HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer## Elevated 
DelfinProject HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer##DisplayName Elevated 
DelfinProject HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer##UninstallString Elevated 
eZula HKLM\software\microsoft\windows\currentversion\app management\arpcache\ezula Medium 
eZula HKLM\software\microsoft\windows\currentversion\app management\arpcache\ezula## Medium 
eZula HKLM\software\microsoft\windows\currentversion\app management\arpcache\ezula##SlowInfoCache Medium 
eZula HKLM\software\microsoft\windows\currentversion\app management\arpcache\ezula##Changed Medium 
Hotsearchbar HKCR\Interface\{A19AC0C8-24C1-43C9-8F7C-449E931DF473} Elevated 
Hotsearchbar HKCR\Interface\{A19AC0C8-24C1-43C9-8F7C-449E931DF473}## Elevated 
Hotsearchbar HKCR\Interface\{A19AC0C8-24C1-43C9-8F7C-449E931DF473}\ProxyStubClsid Elevated 
Hotsearchbar HKCR\Interface\{A19AC0C8-24C1-43C9-8F7C-449E931DF473}\ProxyStubClsid## Elevated 
Hotsearchbar HKCR\Interface\{A19AC0C8-24C1-43C9-8F7C-449E931DF473}\ProxyStubClsid32 Elevated 
Hotsearchbar HKCR\Interface\{A19AC0C8-24C1-43C9-8F7C-449E931DF473}\ProxyStubClsid32## Elevated 
Hotsearchbar HKCR\Interface\{A19AC0C8-24C1-43C9-8F7C-449E931DF473}\TypeLib Elevated 
Hotsearchbar HKCR\Interface\{A19AC0C8-24C1-43C9-8F7C-449E931DF473}\TypeLib## Elevated 
Hotsearchbar HKCR\Interface\{A19AC0C8-24C1-43C9-8F7C-449E931DF473}\TypeLib##Version Elevated 
Hotsearchbar HKCR\Interface\{DA8FE493-49A2-44F6-B4AA-E58CAFC7FFDF} Elevated 
Hotsearchbar HKCR\Interface\{DA8FE493-49A2-44F6-B4AA-E58CAFC7FFDF}## Elevated 
Hotsearchbar HKCR\Interface\{DA8FE493-49A2-44F6-B4AA-E58CAFC7FFDF}\ProxyStubClsid Elevated 
Hotsearchbar HKCR\Interface\{DA8FE493-49A2-44F6-B4AA-E58CAFC7FFDF}\ProxyStubClsid## Elevated 
Hotsearchbar HKCR\Interface\{DA8FE493-49A2-44F6-B4AA-E58CAFC7FFDF}\ProxyStubClsid32 Elevated 
Hotsearchbar HKCR\Interface\{DA8FE493-49A2-44F6-B4AA-E58CAFC7FFDF}\ProxyStubClsid32## Elevated 
Hotsearchbar HKCR\Interface\{DA8FE493-49A2-44F6-B4AA-E58CAFC7FFDF}\TypeLib Elevated 
Hotsearchbar HKCR\Interface\{DA8FE493-49A2-44F6-B4AA-E58CAFC7FFDF}\TypeLib## Elevated 
Hotsearchbar HKCR\Interface\{DA8FE493-49A2-44F6-B4AA-E58CAFC7FFDF}\TypeLib##Version Elevated 
Hotsearchbar HKCR\Interface\{FAB925C1-16B6-4DE1-BFCA-880FBEAFE584} Elevated 
Hotsearchbar HKCR\Interface\{FAB925C1-16B6-4DE1-BFCA-880FBEAFE584}## Elevated 
Hotsearchbar HKCR\Interface\{FAB925C1-16B6-4DE1-BFCA-880FBEAFE584}\ProxyStubClsid Elevated 
Hotsearchbar HKCR\Interface\{FAB925C1-16B6-4DE1-BFCA-880FBEAFE584}\ProxyStubClsid## Elevated 
Hotsearchbar HKCR\Interface\{FAB925C1-16B6-4DE1-BFCA-880FBEAFE584}\ProxyStubClsid32 Elevated 
Hotsearchbar HKCR\Interface\{FAB925C1-16B6-4DE1-BFCA-880FBEAFE584}\ProxyStubClsid32## Elevated 
Hotsearchbar HKCR\Interface\{FAB925C1-16B6-4DE1-BFCA-880FBEAFE584}\TypeLib Elevated 
Hotsearchbar HKCR\Interface\{FAB925C1-16B6-4DE1-BFCA-880FBEAFE584}\TypeLib## Elevated 
Hotsearchbar HKCR\Interface\{FAB925C1-16B6-4DE1-BFCA-880FBEAFE584}\TypeLib##Version Elevated 
Hotsearchbar HKCR\Interface\{FB3DAA1E-3236-4B43-9C19-64F57EB9C019} Elevated 
Hotsearchbar HKCR\Interface\{FB3DAA1E-3236-4B43-9C19-64F57EB9C019}## Elevated 
Hotsearchbar HKCR\Interface\{FB3DAA1E-3236-4B43-9C19-64F57EB9C019}\ProxyStubClsid Elevated 
Hotsearchbar HKCR\Interface\{FB3DAA1E-3236-4B43-9C19-64F57EB9C019}\ProxyStubClsid## Elevated 
Hotsearchbar HKCR\Interface\{FB3DAA1E-3236-4B43-9C19-64F57EB9C019}\ProxyStubClsid32 Elevated 
Hotsearchbar HKCR\Interface\{FB3DAA1E-3236-4B43-9C19-64F57EB9C019}\ProxyStubClsid32## Elevated 
Hotsearchbar HKCR\Interface\{FB3DAA1E-3236-4B43-9C19-64F57EB9C019}\TypeLib Elevated 
Hotsearchbar HKCR\Interface\{FB3DAA1E-3236-4B43-9C19-64F57EB9C019}\TypeLib## Elevated 
Hotsearchbar HKCR\Interface\{FB3DAA1E-3236-4B43-9C19-64F57EB9C019}\TypeLib##Version Elevated 
ILookup.Begin2Search HKCU\Software\_hsrb High 
ILookup.Begin2Search HKCU\Software\_hsrb## High 
ILookup.Begin2Search HKCU\Software\_hsrb##llupdtim High 
ILookup.Begin2Search HKCU\Software\_hsrb##mmsgtim High 
ILookup.Begin2Search HKCU\Software\_hsrb##ccat High 
ILookup.Begin2Search HKCU\Software\_hsrb##4404 High 
ILookup.Begin2Search HKCU\Software\_hsrb##llicotim High 
ILookup.Begin2Search HKCU\Software\_hsrb##llico High 
ILookup.Begin2Search HKCU\Software\_hsrb\kkws High 
ILookup.Begin2Search HKCU\Software\_hsrb\kkws## High 
ILookup.Begin2Search HKCU\Software\_hsrb\ppops High 
ILookup.Begin2Search HKCU\Software\_hsrb\ppops## High 
ILookup.Begin2Search HKCU\Software\_hsrb\ppops##ppopena High 
ILookup.Begin2Search HKCU\Software\_hsrb\ppops##llpoptim High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites## High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites##1 High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites##2 High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites##3 High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites##4 High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites##5 High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites##6 High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites##7 High 
ILookup.Begin2Search HKCU\Software\_hsrb\ssites##8 High 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK## Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##SlowInfoCache Elevated 
InstaFinder HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\INSTAFINK##Changed Elevated 
ISTbar HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbar Medium 
ISTbar HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbar## Medium 
ISTbar HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbar##SlowInfoCache Medium 
ISTbar HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\ISTbar##Changed Medium 
Joltid P2P Networking HKCR\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E} Elevated 
Joltid P2P Networking HKCR\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E}## Elevated 
Joltid P2P Networking HKCR\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E}\NumMethods Elevated 
Joltid P2P Networking HKCR\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E}\NumMethods## Elevated 
Joltid P2P Networking HKCR\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E}\ProxyStubClsid32 Elevated 
Joltid P2P Networking HKCR\Interface\{16097036-894C-4C00-A61F-93CA0D49A70E}\ProxyStubClsid32## Elevated 
Joltid P2P Networking HKCR\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405} Elevated 
Joltid P2P Networking HKCR\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405}## Elevated 
Joltid P2P Networking HKCR\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405}\NumMethods Elevated 
Joltid P2P Networking HKCR\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405}\NumMethods## Elevated 
Joltid P2P Networking HKCR\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405}\ProxyStubClsid32 Elevated 
Joltid P2P Networking HKCR\Interface\{1B540D44-3F61-4394-AE30-25FDC3649405}\ProxyStubClsid32## Elevated 
Joltid P2P Networking HKCR\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662} Elevated 
Joltid P2P Networking HKCR\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662}## Elevated 
Joltid P2P Networking HKCR\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662}\NumMethods Elevated 
Joltid P2P Networking HKCR\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662}\NumMethods## Elevated 
Joltid P2P Networking HKCR\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662}\ProxyStubClsid32 Elevated 
Joltid P2P Networking HKCR\Interface\{2ED5AF98-9258-45BA-B79B-06625C92F662}\ProxyStubClsid32## Elevated 
Joltid P2P Networking HKCR\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} Elevated 
Joltid P2P Networking HKCR\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0}## Elevated 
Joltid P2P Networking HKCR\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0}\NumMethods Elevated 
Joltid P2P Networking HKCR\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0}\NumMethods## Elevated 
Joltid P2P Networking HKCR\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0}\ProxyStubClsid32 Elevated 
Joltid P2P Networking HKCR\Interface\{C91E8926-D4BE-4685-99F4-0D996B96BAC0}\ProxyStubClsid32## Elevated 
Joltid P2P Networking HKCR\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099} Elevated 
Joltid P2P Networking HKCR\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099}## Elevated 
Joltid P2P Networking HKCR\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099}\NumMethods Elevated 
Joltid P2P Networking HKCR\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099}\NumMethods## Elevated 
Joltid P2P Networking HKCR\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099}\ProxyStubClsid32 Elevated 
Joltid P2P Networking HKCR\Interface\{FD42F6D3-7AB1-470C-979B-7996EDC99099}\ProxyStubClsid32## Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498} Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}## Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1 Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1## Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1\0 Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1\0## Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1\0\win32 Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1\0\win32## Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1\FLAGS Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1\FLAGS## Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1\HELPDIR Elevated 
Joltid P2P Networking HKCR\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498}\1.1\HELPDIR## Elevated 
Joltid P2P Networking HKCR\JCDE_Stack Elevated 
Joltid P2P Networking HKCR\JCDE_Stack## Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CLSID Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CLSID## Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CurVer Elevated 
Joltid P2P Networking HKCR\JCDE_Stack\CurVer## Elevated 
Powerscan HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Power Scan Medium 
Powerscan HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Power Scan## Medium 
Powerscan HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Power Scan##DisplayName Medium 
Powerscan HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Power Scan##UninstallString Medium 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service## High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service##Type High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service##Start High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service##ErrorControl High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service##ImagePath High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service##DisplayName High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service##ObjectName High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service\Security High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service\Security## High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service\Security##Security High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service\Enum High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service\Enum## High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service\Enum##0 High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service\Enum##Count High 
ShopNav HKLM\SYSTEM\CurrentControlSet\Services\.NET Connection Service\Enum##NextInstance High 
Virtual Bouncer HKCR\TypeLib\{5E594162-60A9-487D-84B8-DBDD716CB862} Medium 
Virtual Bouncer HKCR\TypeLib\{5E594162-60A9-487D-84B8-DBDD716CB862}## Medium 
VX2.VoiceIP HKCR\VoiceIPDll.VoiceIPDllObj.1 High 
VX2.VoiceIP HKCR\VoiceIPDll.VoiceIPDllObj.1## High 
VX2.VoiceIP HKCR\VoiceIPDll.VoiceIPDllObj.1\CLSID High 
VX2.VoiceIP HKCR\VoiceIPDll.VoiceIPDllObj.1\CLSID## High 
VX2.VoiceIP HKCU\Software\VoiceIP High 
VX2.VoiceIP HKCU\Software\VoiceIP## High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFI2d5OfSInst High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFT2o5pListSPos High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFI2n5ProgSCab High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFI2n5ProgSEx High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFI2n5ProgSLstest High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFC2n5trSEvnt High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFC2n5trMsgSDisp High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFC2S5Insur High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFT2h5rshSCheckSIn High 
VX2.VoiceIP HKCU\Software\VoiceIP##FF2C5ntrSTransac High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFL2a5stSSChckin High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFC2n5tFyl High 
VX2.VoiceIP HKCU\Software\VoiceIP##FFD2s5tSSEnd High 
WebSearch Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO Elevated 
WebSearch Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO## Elevated 
WebSearch Toolbar HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\STO##C Elevated 
WhenU.SaveNow HKLM\software\classes\runmsc.loader Medium 
WhenU.SaveNow HKLM\software\classes\runmsc.loader## Medium 
WildTangent HKCR\Interface\{519794FA-B932-410A-8322-1445B958C1B1} Medium 
WildTangent HKCR\Interface\{519794FA-B932-410A-8322-1445B958C1B1}## Medium 
WildTangent HKCR\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\ProxyStubClsid Medium 
WildTangent HKCR\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\ProxyStubClsid## Medium 
WildTangent HKCR\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\ProxyStubClsid32 Medium 
WildTangent HKCR\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\ProxyStubClsid32## Medium 
WildTangent HKCR\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\TypeLib Medium 
WildTangent HKCR\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\TypeLib## Medium 
WildTangent HKCR\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\TypeLib##Version Medium 
WildTangent HKLM\SOFTWARE\Microsoft\Java VM##ClassPath Medium 
I-Search Toolbar HKEY_LOCAL_MACHINE:Software\Microsoft\Internet Explorer\Search | SearchAssistant Medium 
2nd-thought.com HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5FA6752A-C4A0-4222-88C2-928AE5AB4966} Medium 
2nd-thought.com HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5FA6752A-C4A0-4222-88C2-928AE5AB4966}\iexplore Medium 
Common Components Unrelated HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping##{10E42047-DEB9-4535-A118-B3F6EC39B807} Medium 
VX2.VoiceIP HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000250-0320-4DD4-BE4F-7566D2314352} High 
VX2.VoiceIP HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000250-0320-4DD4-BE4F-7566D2314352}\iexplore High 
WildTangent HKCR\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3} Medium 
WildTangent HKCR\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\InprocServer32 Medium 
WildTangent HKLM\Software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3} Medium 
WildTangent HKLM\Software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\InprocServer32 Medium 
Winpage Blocker HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841} Medium 
Winpage Blocker HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8EAEB34-F7B5-4C55-87FF-720FAF53D841}\iexplore Medium 
WildTangent C:\Documents and Settings\Judson.D98NH621\Local Settings\Application Data\Wildtangent Medium 
WildTangent C:\Documents and Settings\Judson.D98NH621\Local Settings\Application Data\Wildtangent\Cdacache Medium 
WebRebates C:\WINDOWS\Belt.ini Medium 
System Soap C:\WINDOWS\Downloaded Program Files\SSCHECK.DLL Elevated 
System Soap C:\WINDOWS\Downloaded Program Files\systemsoappro.inf Elevated


----------



## judson04 (Jun 11, 2005)

cont'd:

SinSource C:\WINDOWS\pcconfig.dat Low 
Whazit C:\WINDOWS\system32\fiz1 High 
Virtual Bouncer C:\WINDOWS\system32\MSrev23.dll Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\1stop florist.jpg Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\adventuretravel12.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\airlinetickets1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\amazon.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\auction.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\auto.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\autoclassifieds.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\autoinsurance.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\bankruptcy1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\bankruptcy12.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\bargain.com Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\basketball.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\bevmo.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\blackjack.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\books.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\books1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\caraudio.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\caraudio1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\cardgames.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\carinsurance.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\carprices.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\cars.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\casinos.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\cds.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\cellphones.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\chat.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\computergames.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\computers.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\computers1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\cooking.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\crafts.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\creditcards.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\creditcards1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\cruises.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\debt1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\debt123.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\debtconsolidation1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\debtconsolidation123.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\diet.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\digitalcamcorders.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\digitalcameras.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\downloadmusic.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\dvd.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\ebay.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\electronics.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\electronics1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\entertainment.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\entertainment1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\finance.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\finance1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\finance12.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\fishing.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\fitness.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\fitness1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\flowers.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\franklin covey.jpg Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\furniture.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\furniture1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\furniture12.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\gambling.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\gambling1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\gambling12.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\games.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\gardening.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\giftbaskets1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\gifts.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\golf.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\golf1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\health.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\health1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\healthinsurance.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\hobbies1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\hobbytron.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\hockey.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\homebuying.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\homedecorating.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\homeimprovement.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\homeloan12.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\hotels.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\insurance.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\internet.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\investing.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\jewelry.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\jokes.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\lifeinsurance.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\loans.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\maps.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\money.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\mortgage.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\movies.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\mp3.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\mp31.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\music.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\music1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\nutrition.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\onlinecasino.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\onlinegambling.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\outdoordecor.jpg Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\overstock.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\palm.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\peoplesearch.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\poker.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\posters.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\posters1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\projectors.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\realestate.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\realestate1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\shindigz.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\shoes.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\shopping.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\shopping1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\shopping12.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\shp_vert.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\software.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\sports.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\sports1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\stocks1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\the sports authority.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\topsites.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\toys.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\toys1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\travel.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\travel1.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\vacations.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\vert.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\viagra.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\visiondirect.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_auto.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_electronics.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_entertainment.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_finance.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_gambling.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_health.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_hobbies.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_internet.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_music.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_realestate.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_shopping.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_sports.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_topsites.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\v_travel.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\walter drake.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\webdesign.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\webhosting.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\weddinggifts.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\weightloss.gif Medium 
ezSearchbar.B C:\WINDOWS\system32\pics\womenshealth.gif Medium 
Kazaa Promotional Items C:\WINDOWS\Temp\BullGuard Medium 
BearShare C:\Documents and Settings\All Users\Start Menu\Programs\BearShare.lnk Info 
IPInsight C:\Documents and Settings\Judson\Local Settings\Temp\ipinsigt.dll High 
Transponder.Twain-tech C:\Documents and Settings\Judson\Local Settings\Temp\THI688A.tmp\twaintec.inf High 
WinTools C:\Documents and Settings\Judson\Local Settings\Temporary Internet Files\Content.IE5\8DIJG1UZ\WToolsP[1].cab Elevated 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI1901.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI265A.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI2B2D.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI3077.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI30B.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI3DBF.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI4943.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI5096.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI558E.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI59EB.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI69A7.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI6BB5.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI6DB0.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THI7BE6.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THID39.tmp\polall1r.inf High 
Common Components for VX2 C:\Documents and Settings\Tracy\Local Settings\Temp\THIE1D.tmp\polall1r.inf High 
BearShare C:\Documents and Settings\Tracy\My Documents\My Music\BearShare.lnk Info 
Common Components Unrelated C:\kyf.dat Medium 
ILookup.Superspider C:\Program Files\HijackThis\backups\backup-20050613-032413-770.inf High 
BearShare C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP21\A0008720.exe Info 
Media Access C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0010012.dll Medium 
eXact Advertising C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP29\A0010166.exe Elevated 
Common Components for VX2 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP29\A0010170.exe High 
Statblaster C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0012028.exe Elevated 
Common Components for VX2 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0012143.inf High 
Common Components for VX2 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0012161.exe High 
Common Components for VX2 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0012181.exe High 
Statblaster C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0012183.exe Elevated 
Common Components for VX2 C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP31\A0012200.inf High 
BearShare C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP34\A0013356.exe Info 
Transponder.BI C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP34\A0013407.inf High 
Transponder.BI C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP34\A0013412.inf High 
Transponder.Twain-tech C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP34\A0013414.inf High 
ILookup.Begin2Search C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP34\A0013478.ico High 
ILookup.Begin2Search C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP34\A0013479.ico High 
ILookup.Begin2Search C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP34\A0013482.ico High 
eBates C:\WINDOWS\aurl.dat High 
ILookup.Begin2Search C:\WINDOWS\Downloaded Program Files\hsrb.inf High 
Trojan.MultiDropper.LO C:\WINDOWS\SYSTEM32\uninstall.exe


----------



## judson04 (Jun 11, 2005)

My spyware doctor will not delete them for me because I have not purchased.... what should I do?


----------



## Blitze105 (May 28, 2005)

good free firewall: zone alarm


----------



## judson04 (Jun 11, 2005)

Activescan results

It won't let me delete automatically... 
Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry 
Adware:Adware/nCase No disinfected C:\WINDOWS\msbb* 
Spyware:Spyware/ISTbar No disinfected Windows Registry 
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\support.cn 
Spyware:Spyware/Altnet No disinfected Windows Registry  
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde32.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde32.tmp][bde3dref3p4.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde36.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde36.tmp][BDErastDX3.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde38.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde38.tmp][bdeviewer.exe] 
Adware:Adware/Lop No disinfected C:\!Submit\bde32.zip[BendThunk.exe] 
Spyware:Spyware/BetterInet No disinfected C:\!Submit\bde32.zip[bi3.exe] 
Adware:Adware/SAHAgent No disinfected C:\!Submit\bde32.zip[bi3.inf] 
Adware:Adware/SAHAgent No disinfected C:\!Submit\bde32.zip[bi4.inf] 
Adware:Adware/SAHAgent No disinfected C:\!Submit\bde32.zip[bi6.inf] 
Adware:Adware/SAHAgent No disinfected C:\!Submit\bde32.zip[bi.inf]  
Spyware:Spyware/BetterInet No disinfected C:\!Submit\bde32.zip[biM.exe] 
Adware:Adware/SAHAgent No disinfected C:\!Submit\bde32.zip[biM.inf] 
Spyware:Spyware/BetterInet No disinfected C:\!Submit\bde32.zip[bo.exe] 
Adware:Adware/IEDriver No disinfected C:\!Submit\bde32.zip[cdrtc765.exe] 
Adware:Adware/StatBlaster No disinfected C:\!Submit\bde32.zip[CLxr7br.exe] 
Adware:Adware/Lop No disinfected C:\!Submit\bde32.zip[cmbzjoct.exe] 
Adware:Adware/IPInsight No disinfected C:\!Submit\bde32.zip[conscorr.inf] 
Adware:Adware/IPInsight No disinfected C:\!Submit\bde32.zip[conscorr.ini] 
Adware:Adware/nCase No disinfected C:\!Submit\bde32.zip[ezStub3.dll] 
Adware:Adware/KeenValue No disinfected C:\!Submit\bde32.zip[in6bMs.dll] 
Spyware:Spyware/BetterInet No disinfected C:\!Submit\bde32.zip[in10b6s.dll] 
Adware:Adware/ISearch No disinfected C:\!Submit\bde32.zip[initial.inf] 
Adware:Adware/Lop No disinfected C:\!Submit\bde32.zip[kzpimiak.exe] 
Adware:Adware/WinAD No disinfected C:\!Submit\bde32.zip[l.exe] 
Adware:Adware/Lop No disinfected C:\!Submit\bde32.zip[mrdnyowf.exe] 
Adware:Adware/eZula No disinfected C:\!Submit\bde32.zip[My Keywords.lnk] 
Adware:Adware/eZula No disinfected C:\!Submit\bde32.zip[My Preferences.lnk] 
Adware:Adware/NetPals No disinfected C:\!Submit\bde32.zip[n3tpa1i.dll] 
Spyware:Spyware/New.net No disinfected C:\!Submit\bde32.zip[NDNuninstall5_64.exe] 
Spyware:Spyware/New.net No disinfected C:\!Submit\bde32.zip[NDNuninstall6_10.exe] 
Adware:Adware/Transponder No disinfected C:\!Submit\bde32.zip[polall1r.inf] 
Adware:Adware/Transponder No disinfected C:\!Submit\bde32.zip[polmx2.inf] 
Adware:Adware/SAHAgent No disinfected C:\!Submit\bde32.zip[SHAgentNew.dll] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[toolbar.dll] 
Adware:Adware/eZula No disinfected C:\!Submit\bde32.zip[TopText Button Show - Hide.lnk]  
Spyware:Spyware/ShopNav No disinfected C:\!Submit\bde32.zip[W2020Setup.dll] 
Adware:Adware/WUpd No disinfected C:\!Submit\bde32.zip[winadx.inf] 
Adware:Adware/nCase No disinfected C:\!Submit\bde32.zip[Xcite.dll] 
Adware:Adware/Yahoo No disinfected C:\!Submit\bde32.zip[ycomp5_0_2_7.dll] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~57456.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~70175.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~75685.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~91208.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~94445.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~165587.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~558509.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~566609.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~581708.tmp]  
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~592208.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~600298.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~614032.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~615473.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~651388.tmp] 
Adware:Ad


----------



## judson04 (Jun 11, 2005)

ware/WinTools No disinfected C:\!Submit\bde32.zip[~735095.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~736581.tmp]  
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~765195.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~776732.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~785242.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~785600.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~806059.tmp] 
Adware:Adware/WinTools No disinfected C:\!Submit\bde32.zip[~820949.tmp] 
Adware:Adware/IEDriver No disinfected C:\!Submit\bde32.zip[asferror.exe] 
Adware:Adware/Lop No disinfected C:\!Submit\bde32.zip[azpxjfbs.exe] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde1C.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde1C.tmp][bdeload.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde2C.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde2C.tmp][BDEwrapper3.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde2E.tmp]  
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde2E.tmp][BDESac24.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde19.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde19.tmp][bdeinstallman3.exe] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde19.tmp][bdeinsta3.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde19.tmp][BDEInstallProgress3.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde21.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde21.tmp][BDEplayer3.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde26.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde26.tmp][BDEengine3.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde29.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde29.tmp][bdeimage.dll] 
Adware:Adware/BrilliantDigitalNo disinfected C:\!Submit\bde32.zip[bde30.tmp] 
Adware:Adware/BrilliantDigitalNo disinfected  C:\!Submit\bde32.zip[bde30.tmp][BDESac10.dll] 
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Judson\Local Settings\Temp\bi.cab 
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Judson\Local Settings\Temp\bi.cab[bi.inf] 
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Judson\Local Settings\Temp\bi.cab[bi.dll] 
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Judson\Local Settings\Temp\~81176.tmp 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI1901.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI265A.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI2B2D.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI3077.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI30B.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI3DBF.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI4943.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI5096.tmp\polall1r.inf  
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI558E.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI59EB.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI69A7.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI6BB5.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI6DB0.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THI7BE6.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THID39.tmp\polall1r.inf 
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Tracy\Local Settings\Temp\THIE1D.tmp\polall1r.inf 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Tracy\Local Settings\Temporary Internet Files\Content.IE5\CL8TAVSD\webservice[1].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Tracy\Local Settings\Temporary Internet Files\Content.IE5\K3ZF60P9\webservice[1].htm 
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Tracy\Local Settings\Temporary Internet Files\Content.IE5\NESJZXG5\webservice[1].htm 
Adware:Adware/AdultLink No disinfected C:\Documents and Settings\Tracy\Local Settings\Temporary Internet Files\QaBar.cab[QaBar.inf] 
Adware:Adware/AdultLink No disinfected C:\Documents and Settings\Tracy\Local Settings\Temporary Internet Files\QaBar.inf  
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F9184FD4-B23E-4E99-87D8-D5D2A9\D7D5FA83-CA06-46B8-9AD5-3CB249 
Adware:Adware/nCase No disinfected C:\WINDOWS\msbb.exe.temp 
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\support.cn 
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1


----------



## dvk01 (Dec 14, 2002)

OK I wouldn't worry about the registry entries with Spyware Doctor, none of those are harmful & are just left over entries referring to the software 

all the !submit entries are OK as they are the backups that killbox made when deleting files 

I'll work through a list of what else to delete & how and post shortly


----------



## dvk01 (Dec 14, 2002)

OK using the JUDSON account first do this

Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit we might ask you to submit those files for further examination a bit later on ]

C:\WINDOWS\msbb.exe.temp
C:\WINDOWS\support.cn
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\SYSTEM32\uninstall.exe
C:\WINDOWS\Downloaded Program Files\hsrb.inf
C:\WINDOWS\aurl.dat
C:\kyf.dat
C:\WINDOWS\system32\MSrev23.dll
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\Belt.ini
C:\WINDOWS\Downloaded Program Files\SSCHECK.DLL
C:\WINDOWS\Downloaded Program Files\systemsoappro.inf

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

*delete these folders *

C:\WINDOWS\system32\pics\

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

Now reboot & log into the TRACY account and

Start Killbox

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

reboot & repeat this step for evey other account you have

Then finally delete the C:\!submit folder

then

Turn off system restore by following instructions here 
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039 
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here* http://forums.techguy.org/t208517/s.html *for info on how to tighten your security settings and how to help prevent future attacks.

and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place


----------



## judson04 (Jun 11, 2005)

IDIS toolbar keeps trying to install itself. 

I cannot get rid ot Altnet.

Everytime you tell me to delete C:\windows\temp it will not allow me too. In it is bullguard stuff, etc. 

I opened Add/Remove programs: Do any of these need to be removed?

Delfin Media Viewer
Dell Modem on Hold
Command on Demand for command software
Broadcom Advanced Control Suite
Brooadjumps Client Foundation
Dosages and Solutions
Lernound & Hausipe Truvoice American English TTS Engine
One on One Diagnostic
Power Scan
Search plugin

The follow programs I got errors when I tried to remove from Add/Remove programs:
Weather Bug
Soulseek Client 149.

Please answer all the questions if you don't mind.


----------



## dvk01 (Dec 14, 2002)

remove these
Delfin Media Viewer
Power Scan
Search plugin

have you run adaware & spybot & M$ anti spyware because they normally get rid of all of those


----------



## dvk01 (Dec 14, 2002)

you cannot delete the entire windows temp folder 

you have to open it and select everything inside it & delete the contents, 

sometimes you need to delete them one by one


----------



## dvk01 (Dec 14, 2002)

An Idea

post a log from the tracy account


----------



## judson04 (Jun 11, 2005)

dvk01 said:


> you cannot delete the entire windows temp folder
> 
> you have to open it and select everything inside it & delete the contents,
> 
> sometimes you need to delete them one by one


I tried that.. none of them will let me. I even tried doing it in safe mode.


----------



## judson04 (Jun 11, 2005)

From tracy account. Do I need to be in safe mode doing HJT?

And I do have MS AS and adware, adware finds a altnet file everytime i run it, I even did it three times in a row and deleted it everytime. Have I got a worm or somethign?

Also, what about my other about Add/Remove program error?
Logfile of HijackThis v1.99.1 (from tracy account)
Scan saved at 5:46:23 AM, on 6/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure Anti-Virus\Common\FCH32.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\F-Secure Anti-Virus\Common\FAMEH32.EXE
C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Anti-Virus\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\F-Secure Anti-Virus\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Anti-Virus\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [stupidping] C:\DOCUME~1\Tracy\APPLIC~1\INTERN~1\multiexit.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk12741US
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Anti-Virus\Common\FSMA32.EXE
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


----------



## Blitze105 (May 28, 2005)

dvk01 said:


> remove these
> Delfin Media Viewer
> Power Scan
> Search plugin
> ...


Yes, updated versions of them do. But how can the perosn update without an internet connection?
-blitze


----------



## judson04 (Jun 11, 2005)

Blitze105 said:


> Yes, updated versions of them do. But how can the perosn update without an internet connection?
> -blitze


I have an internet connection.


----------



## judson04 (Jun 11, 2005)

I don't know if this helps, but something changed my registry values for my soundmax device and no sound was working. I unistalled/reinstalled and it works now, but obviously it shouldn't have h appened in the first place.


----------



## Blitze105 (May 28, 2005)

judson04 said:


> I don't know if this helps, but something changed my registry values for my soundmax device and no sound was working. I unistalled/reinstalled and it works now, but obviously it shouldn't have h appened in the first place.


Things like that mess up at times, it may be a part of the spyware or whatever u have but i doubt it. Sorry about the mix up, i was thinking about another case of the sporder.dll missing that i fixed... i hope?
-blitze


----------



## dvk01 (Dec 14, 2002)

ok run HJT in the tracy account in normal mode and post that log

once I see that I can work out what needs doing 

If you have any OTHER user accounts then post a log from them as well 

Ignore the errors in add/remove programs, that is normally due to an anti spyware applicatioin taking out the files but leaving some entries in the registry behind


----------



## judson04 (Jun 11, 2005)

Blitz, yes that is fixed thanks.

The log from tracy is on the previous page. I will post ones from the others soon.


----------



## judson04 (Jun 11, 2005)

I deleted registry values the various AS software told me was bad, as well as things that I was positive were not supposed to be there like nkzzwrs with no value, stuff like that. As well as stuff that has been giving me problems, symmantec, altnet, winad, delfin, etc, was this a good idea?


----------



## dvk01 (Dec 14, 2002)

OK on the Tracy account

go to add/remove programs and uninstall these if they still exist 
spywarebegone
LimeShop
MY DAILY HOROSCOPE

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O4 - HKCU\..\Run: [Spyware Begone] C:\spywarebegone\SpywareBeGone.exe -FastScan
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [stupidping] C:\DOCUME~1\Tracy\APPLIC~1\INTERN~1\multiexit.exe

O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe

O8 - Extra context menu item: &RSDN Search - res://C:\WINDOWS\2020SE~1.DLL/GoRSDN.dll.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZNxmk12741US
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm

NOTE: you might have already deleted the files/folders previously but I am not sure so check anyway

now Start killbox paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window and if the file exists it will appear in blue under that window then select standard file kill, press the red X button, say yes to the prompt and once the file deleted message comes up then repeat for each file in turn

[Note: Killbox makes backups of all deleted files in a folder called C:\!submit we might ask you to submit those files for further examination a bit later on ]

C:\DOCUME~1\Tracy\APPLIC~1\INTERN~1\multiexit.exe
C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
C:\WINDOWS\system32\svhosts.exe

Then on killbox top bar press tools/delete temp files and follow those prompts and say yes to everything

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

*delete these folders *

C:\spywarebegone
C:\Program Files\LimeShop
C:\PROGRAM FILES\MY DAILY HOROSCOPE

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then reboot & post logs from other accounts


----------



## judson04 (Jun 11, 2005)

Tranz Account:
Logfile of HijackThis v1.99.1
Scan saved at 7:35:14 PM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxmk12741US
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee.com Personal Firewall Service (MpfService) - Unknown owner - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## dvk01 (Dec 14, 2002)

OK on the TRANZ account

go to start/run and type services.msc press OK 
when the screen opens scroll down to * .NET Framework Service (.NET Connection Service) * right click and select properties and then on that page press stop service and then set the start up type to disabled, press ok a few times to get back to windows

be very careful to get the right one as there are several similar named ones there

Then open HJT & press config/misc tools/ select delete an NT service and paste this into the box

.NET Connection Service

press OK & then

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=

O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe

O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZNxmk12741US
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Are there any more accounts you haven't told us about yet


----------



## judson04 (Jun 11, 2005)

From Tyler account, last one.

(Although my Judson, the main account was deleted in the past, then I recreated it, so now when I look in mycomputer for my user it's like JudsonD69.... and some numbers and stuff.

Also, I've deleted a ridiculous amount of registry values that were spyware and stuff. WHen I try to delete a value for altnet, I get a cannot delete error. Also, there was a registry value that said something like "disable SP pack 2" or what ever that service pack thing is called. I deleted it obviously....

Logfile of HijackThis v1.99.1
Scan saved at 5:06:11 AM, on 6/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## dvk01 (Dec 14, 2002)

this one is just

O4 - HKCU\..\RunServices: [Windows Services Hosts] svhosts.exe

to fix


----------



## judson04 (Jun 11, 2005)

I also fixed the ones that say Backweb, I removed F-secure because I think it got infected somehow. It won't let me update or do much of anything. 

Anyway, what now? I know I still have malware, I found a lot in the Local Settings hidden folder, lycos sidesearch and qcbar and stuff. How can I get the malware out of my registry?


----------



## dvk01 (Dec 14, 2002)

I think you are removing entries that ARE NOT spyware in the registry

you most probably are removing the entries that spybot & other anti spyware programs put in to tell the computewr to block downloads of those products 

now what Local Settings hidden folder is containing what


----------



## judson04 (Jun 11, 2005)

I deleted everything that the programs told me was spyware. This applies for the Local Settings folder and the registry. I was deleting registry values, for the most part, that xoft AS told me were bad. There are still some that I can't figure out how to access, like typelib\.... etc.. ones that don't start in like software\ or something like that.


----------



## dvk01 (Dec 14, 2002)

xoft is NOT the most efficient or reilable anti spyware scanner in existence


----------



## judson04 (Jun 11, 2005)

What is the Backweb error message, like "invalid backweb address 44672" or something likle that.


----------



## dvk01 (Dec 14, 2002)

you probably still have some f-secure entries so post a fresh HJT log and we will see


----------



## judson04 (Jun 11, 2005)

Sorry, I've been outta town. I tried to download good Anti virus software/firewall, I got panda protection and zone alarm, but now It's incredibly how much annoying prompts I get from my various security softwares. what should I keep, and what should I delete? I have :

No adware
Spybot & Teatimer
Spy Subtract
Ad-aware
microsoft as
spyware blaster
registry mechanic
ad aware
spyware guard
registry cleaner
zone labs zone alarm firewal
panda platinum protection


----------



## Blitze105 (May 28, 2005)

I suggest removing spyware guard, no adware and spy subract. They are legit programs but you have enough. 
People will disagree with me on this one, so i do not know why i posted...
-blitze


----------



## judson04 (Jun 11, 2005)

Everytime I restart my computer it says "Found New hardware Panda Anti-Dialer" and when I go to install it never works. Also it's finding another new hardware called wpsdrvnt and I don't know what it is. I'm still getting the error message "invalid backweb application ID." Also, I use my modem for XBOX Live and I don't have a router, everytime I plug the computer back into the modem I get a "critical system error" and the computer automatically reboots after showing a blue screen with some error messages on it for like 1/2 a second.


----------



## dvk01 (Dec 14, 2002)

as I said previously post a new HJT log and we can se what the current state of play is


----------



## judson04 (Jun 11, 2005)

The panda is obvoiusly part of my panda virus security software, but here's another log.


----------



## judson04 (Jun 11, 2005)

Judson account

Logfile of HijackThis v1.99.1
Scan saved at 3:43:07 AM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [DWHeartbeatMonitor] C:\PROGRA~1\THEWEA~1\DWHeartbeatMonitor.exe
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## dvk01 (Dec 14, 2002)

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make. It can be enabled when your clean.

Open Microsoft AntiSpyware. by double clicking it's icon in the system tray, click on real time protection and on the left a screen will appear, select each of the agents in turn and press deactivate
then
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
_ _ _ _

Please disable SpybotSD TeaTimer, as it may hinder the removal. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm

go to start/run and type services.msc press OK 
when the screen opens scroll down to * F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822)* right click and select properties and then on that page press stop service and then set the start up type to disabled, press ok a few times to get back to windows

be very careful to get the right one as there might be several similar named ones there

repeat for

*fsbwsys *

now open HJT press config/misc tools and select delete an NT service

paste this into the box & press OK

* fsbwsys *

repeat for 
* BackWeb Plug-in - 4476822 *

close HJT &

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [Windows Services Hosts] svhosts.exe

O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe

then as some of the folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

*delete these folders *

C:\Program Files\F-Secure Anti-Virus
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Symantec

now go to start/run and type %temp% and when the folder opewns select everything and delete it all

then go to C:\windows\temp and select EVERYTHING and delete it all and then do the same for C:\temp if it exists

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then reboot normally and post fresh hjt log and let us know what error messages you get


----------



## dvk01 (Dec 14, 2002)

You have panda security suite with it's firewall and zone alarm as well so either uninstall zone alarm from add/remove programs first before doing the above fix or make sure panda's firewall is disabled in panda's settings a s having 2 firewalls running is a recipe for disaster


----------



## judson04 (Jun 11, 2005)

Those services were already stopped. F-secure won't go away. Panda firewall won't remember what I want to allow internet usage, even though it's on the allow list. Here's a new log from Judson (the main) account

Logfile of HijackThis v1.99.1
Scan saved at 5:50:45 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\apvxdwin.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MNPAP] C:\Program Files\MNPAntiPopup\MNPAntiPopup.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## judson04 (Jun 11, 2005)

from Tracy account

Logfile of HijackThis v1.99.1
Scan saved at 5:55:21 PM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Roadrunner
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.rr.com
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt1_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/games/clients/y/st2_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


----------



## judson04 (Jun 11, 2005)

I'll wait for response to post logs from other accounts. LIke I said, the F-secure thing won't go away in HJT, no matter how many times I try to fix it.


----------



## dvk01 (Dec 14, 2002)

I really think this has come to the stage now where anything we do is not going to do any good 

you have had so many antiviruses/firewalls on there and all will have left bits behind in the registry ( especially Norton & Mcafeee) and my view is that a lot less work would be involved and a more satisfactory cure would be to maback up any important documents etc and wipe it out completely and forma t and start from fresh with a brand new installation of windpows and all programs

I really think that is the only way with this one 

I wouldn't be happy to continue to use it in that state


----------



## judson04 (Jun 11, 2005)

okay I guess...


----------



## judson04 (Jun 11, 2005)

When I run Registry Cleaner (which wants me to pay to fix stuff) it finds all these files that aren't there that I deleted like years ago saying they're errors. It finds like thousands off problems. Do you have any recommendations?


----------

