# Spywarebot removal



## jgribbin (Aug 29, 2006)

I accidentally installed Spywarebot a few weeks ago instead of Spybot. I realized my mistake almost as soon as it finished installing and attempted uninstalling. This was before finding this site and just used windows add/remove programs.

I seem to have some part of it still on my system as every time I bot up, Spybot tells me some program (the uninstaller?) is asking for permission to remove Spywarebot from the registry.

I found a thread in this forum on removing it. I folowed through the instructions there. None of the files those instructions said to remove seemed to be there. I'm still being asked every time I boot.

The thread I found was not a waste of time though. It got rid of 12.8 GB of temporary files I knew were there someplace, but couldn't find.

Jim G


----------



## Cheeseball81 (Mar 3, 2004)

Hi and welcome 

* *Click here* to download *HJTsetup.exe*.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to *C:\Program Files\Hijack This*.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## jgribbin (Aug 29, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 4:22:23 PM, on 8/31/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\system32\dtmonx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\Program Files\Siemens\SpeedStream Wireless LAN\Config.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\HPDESK\hppddir.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Siemens\SpeedStream Wireless PCMCIA\SSPCCfg.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\lotus\approach\Approach.exe
C:\Program Files\Evolution\libexec\bonobo-activation-server.exe
C:\Program Files\Evolution\libexec\bonobo-activation-server.exe
C:\Program Files\Evolution\libexec\bonobo-activation-server.exe
C:\Program Files\Motorola Phone Tools\mPhonetools.exe
C:\Documents and Settings\jimg\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://johnboy.instanetforms.com/in...tforms/Instanetforms.htx;start=HS_AKMLS_Login
F3 - REG:win.ini: load=,,DTMONX.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\DLink\Bluetooth Software\BTTray.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless LAN\Config.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Siemens SpeedStream Wireless PCMCIA.lnk = C:\Program Files\Siemens\SpeedStream Wireless PCMCIA\SSPCCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth

Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://mymal.acsalaska.net
O15 - Trusted Zone: http://valleymls.fnismls.com
O15 - Trusted Zone: johnboy.instanetforms.com
O15 - Trusted Zone: sss-web.usps.com
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) -

http://valleymls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {D270FE47-4F7B-4AFF-BCF8-B023A6FF4DFA} (SystemChecker.CheckerCtrl) -

http://valleymls.fnismls.com/Paragon/Codebase/SystemChecker.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal

Firewall\kpf4ss.exe

jgribbin - thanks


----------



## Cheeseball81 (Mar 3, 2004)

Download the trial version of *Ewido Anti-spyware* from *HERE* and save that file to your desktop. When the trial period expires, it becomes freeware with reduced functions but still worth keeping.


Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run Ewido and update the definition files.
On the main screen select the icon "*Update*" then select the "*Update now*" link.
Next select the "*Start Update*" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "*Scanner*" icon at the top of the screen, then select the "*Settings*" tab.
Once in the Settings screen click on "*Recommended actions*" and then select "*Quarantine*"
Under "*Reports*"
Select "*Automatically generate report after every scan*"
Un-Select "*Only if threats were found*"

Close Ewido Anti-Spyware, DO NOT run a scan yet. We will do that later in Safe Mode.


Reboot your computer into *Safe Mode* now. You can do this by restarting your computer and continually tapping the *F8* key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
*IMPORTANT:* Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
Select the "*Scanner*" icon at the top and then the "*Scan*" tab then click on "*Complete System Scan*".
Ewido will now begin the scanning process. Be patient this may take a little time.
*Once the scan is complete do the following:*
If you have any infections you will prompted, then select "*Apply all actions*"
Next select the "*Reports*" icon at the top.
Select the "*Save report as*" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido and reboot your system back into Normal Mode.

Run *ActiveScan* online virus scan: *here*

When the scan is finished, save the results from the scan!

*Come back here and post a new Hijack This log along with the logs from the Ewido and Panda scans.*


----------



## jgribbin (Aug 29, 2006)

I am having trouble running Ewido in safe mode. The minimum window size seems to be larger than the 640x480 screen size I am forced to use in safe mode. This is version 4.0 that just came out on the 18th. I looked for an older version, but don't see it.

I am unable to select "Apply all actions" as it is apperantly off the screen. I go to "Reports" and there is no report to save. It did find 3 or 4 hundred problems during the scan.

jgribbin


----------



## jgribbin (Aug 29, 2006)

I went ahead with the Ewido scan in user mode. Thought that would be better than nothing. I also wanted to see how much of the window I wasn't seeing. I was being cut off at the lower edge of the progress bar below and between the tools and help icons on the right. Lost some off the top and left too.

Logfile of HijackThis v1.99.1
Scan saved at 12:04:11 AM, on 9/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\system32\dtmonx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\Program Files\Siemens\SpeedStream Wireless LAN\Config.exe
C:\PROGRA~1\DLink\BLUETO~1\BTSTAC~1.EXE
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\HPDESK\hppddir.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Siemens\SpeedStream Wireless PCMCIA\SSPCCfg.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\jimg\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://johnboy.instanetforms.com/in...tforms/Instanetforms.htx;start=HS_AKMLS_Login
F3 - REG:win.ini: load=,,DTMONX.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\DLink\Bluetooth Software\BTTray.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless LAN\Config.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Siemens SpeedStream Wireless PCMCIA.lnk = C:\Program Files\Siemens\SpeedStream Wireless PCMCIA\SSPCCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://mymal.acsalaska.net
O15 - Trusted Zone: http://valleymls.fnismls.com
O15 - Trusted Zone: johnboy.instanetforms.com
O15 - Trusted Zone: sss-web.usps.com
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://valleymls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D270FE47-4F7B-4AFF-BCF8-B023A6FF4DFA} (SystemChecker.CheckerCtrl) - http://valleymls.fnismls.com/Paragon/Codebase/SystemChecker.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

Panda log

Incident Status Location

Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.gostats.com/] 
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[searchportal.information.com/] 
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.bravenet.com/] 
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.realmedia.com/] 
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.xiti.com/] 
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.fortunecity.com/] 
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.ct.360i.com/] 
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.atwola.com/] 
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.belnk.com/] 
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.maxserving.com/] 
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\jimg\Application Data\Mozilla\Firefox\Profiles\qn1je400.default\cookies.txt[.tucows.com/] 
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\jimg\Cookies\[email protected][1].txt 
Spyware:Cookie/Humanclick Not disinfected D:\jimg\Application Data\Mozilla\Profiles\default\y64rrq8b.slt\cookies.txt[hc2.humanclick.com/hc/4221608] 
Spyware:Cookie/Humanclick Not disinfected D:\jimg\Application Data\Mozilla\Profiles\default\y64rrq8b.slt\cookies.txt[hc2.humanclick.com/] 
Virus:Trj/Citifraud.A Disinfected D:\jimg\Application Data\My Documents\OldZipData\WINDOWS\Profiles\jimg\My Documents\PayPaI officiaI notice.htm

jgribbin


----------



## Cheeseball81 (Mar 3, 2004)

* Go here and do the BitDefender online virus scan.

Click "I Agree" to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click "Click here to scan" to begin the scan.
Please refrain from using the computer until the scan is finished.
When the scan is finished, click on "Click here to export the scan results"
Save the report to your desktop then come back here and *attach* it to your next reply along with a new Hijack This log..


----------



## jgribbin (Aug 29, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 10:39:47 PM, on 9/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINNT\system32\dtmonx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\DLink\Bluetooth Software\BTTray.exe
C:\Program Files\Siemens\SpeedStream Wireless LAN\Config.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\HPDESK\hppddir.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Siemens\SpeedStream Wireless PCMCIA\SSPCCfg.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\jimg\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://johnboy.instanetforms.com/in...tforms/Instanetforms.htx;start=HS_AKMLS_Login
F3 - REG:win.ini: load=,,DTMONX.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: palmOne Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\DLink\Bluetooth Software\BTTray.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\Siemens\SpeedStream Wireless LAN\Config.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Siemens SpeedStream Wireless PCMCIA.lnk = C:\Program Files\Siemens\SpeedStream Wireless PCMCIA\SSPCCfg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://mymal.acsalaska.net
O15 - Trusted Zone: http://valleymls.fnismls.com
O15 - Trusted Zone: johnboy.instanetforms.com
O15 - Trusted Zone: sss-web.usps.com
O16 - DPF: {0854D220-A90A-466D-BC02-6683183802B7} (PrintPreview Class) - http://valleymls.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D270FE47-4F7B-4AFF-BCF8-B023A6FF4DFA} (SystemChecker.CheckerCtrl) - http://valleymls.fnismls.com/Paragon/Codebase/SystemChecker.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe


----------



## Cheeseball81 (Mar 3, 2004)

How are things now?


----------



## jgribbin (Aug 29, 2006)

Hasn't changed any  

Attached is a corner of a screenshot of what I'm getting every time I boot.

It's Whitelisted because I got tired of telling Spybot that the removal of the SpywareBot registry entry is OK every time I log in.

jgribbin


----------



## Cheeseball81 (Mar 3, 2004)

Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

*Click here* for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

Reboot back to Normal Mode!


Go to the *WinPFind folder*
Locate *WinPFind.txt*
Copy and paste WinPFind.txt in your next post here please.


----------



## jgribbin (Aug 29, 2006)

Well, I still feel a little dumb for having installed this in the first place, but I'm feeling a little less dumb about not being able to figure out how to get rid of it by myself.

Thanks:up: ,
jgribbin


----------



## Cheeseball81 (Mar 3, 2004)

Please download and run the following:

*Ad-Aware SE*: http://www.majorgeeks.com/download506.html

Install the program and launch it.
First, in the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.
Then in the main window: Click Start and under Select a scan Mode check Perform full system scan.
Then deselect Search for negligible risk entries.
To start the scan, click the Next button.
When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next).


----------



## jgribbin (Aug 29, 2006)

Scored 1 tracking cookie.

jgribbin


----------



## Cheeseball81 (Mar 3, 2004)

I take it SpyBot still finds it?


----------



## jgribbin (Aug 29, 2006)

I don't think SpyBot is actually 'finding' it. It appears to monitor the window registry for programs attemping to change the registry. There seems to be some remnant of the uninstall routine for SpywareBot that was supposed to remove the SpywareBot registry entry on the next boot following the un-install.

On other un-installs, these seem to only run once. This one seems to be stuck in the windows start-up routine and I don't know how to find and get rid of it.

I think we've pretty much eliminated the possibility of a virus. I think it's either a broken un-install or one of those undocumented windows features.

jgribbin


----------



## Cheeseball81 (Mar 3, 2004)

I don't see it in Startup, unless it was disabled with msconfig. I don't recall seeing it in the WinPFind log either.

Open Hijack This.
Click on *Open Misc Tools Section*
Make sure that both boxes beside "Generate StartupList Log" are checked:

*List all minor sections(Full)*
*List Empty Sections(Complete)*

Click *Generate StartupList Log*.
Click *Yes* at the prompt.
It will open a text file. Please copy the entire contents of that page and paste it here.


----------



## jgribbin (Aug 29, 2006)

Here's that startup list

I don't currently have anything turned off with msconfig.

I experamented with turning a few things off in the past to try and figure this out, but nothing I could find seemed to help. Thats why I'm here.


----------



## Cheeseball81 (Mar 3, 2004)

There is a file that caught my eye: C:\WINNT\system32\dtmonx.exe

Any idea what that is?

Please go to this site: http://virusscan.jotti.org/

Use the Browse button at Jotti.
Navigate to the file's location on your hard drive and submit it.
Let me know what it says regarding the file.


----------



## jgribbin (Aug 29, 2006)

virusscan.jotti found nothing.

A quick google search of it shows it to be part of the package for a HP Laserjet 1100, which I have. I suspect it's OK.

I beginning to get the feeling we're at the grasping at straws point. Maybe I should learn to ignore it ar plan on doing a re-install of windows.

I hate doing that, but sometimes I can't figure out an alernative.


----------



## Cheeseball81 (Mar 3, 2004)

I'll see if anyone else has a suggestion


----------



## Cookiegal (Aug 27, 2003)

In SpyBot S&D click on *Tools *and then click on *View Report *and copy and paste the report here please. We need to see exactly what the entry is that is trying to run.


----------



## jgribbin (Aug 29, 2006)

Here you go.

Thanks


----------



## Cookiegal (Aug 27, 2003)

Did you put a check mark beside "resident" before asking for that report? If not, remove all of the other checkmarks and just leave the one beside "resident" and post that report please.


----------



## jgribbin (Aug 29, 2006)

Under *View Reports* there is no checkbox marked *Resident*.

The is another tool labeled *Resident*. It had no *Save Report* option, only an *Archive* option. When I cklicked that option, the current report went away and I'm not entirly certain where it archived to.

I did look in SpyBot's Log directly and there is a log labeled resident. I'm taking a chance that that's what you're looking for and attaching it here.


----------



## jgribbin (Aug 29, 2006)

Oops, typo. That should have been *I did look in SpyBot's Log directory*, not directly.


----------



## Cookiegal (Aug 27, 2003)

Try turning off TeaTimer then reboot the computer and turn it back on again. Let me know if you still get the alerts.


----------



## jgribbin (Aug 29, 2006)

After all this, could it really be that simple? It looks to be gone.

I'm going to give it a day just to be sure, then I'll mark this as solved.

Thanks!!


----------



## Cookiegal (Aug 27, 2003)

When installing or uninstalling programs you should disable TeaTimer as it will try to prevent changes and it probably got stuck in a loop.

If it appears again please reply back to this thread.

Are you having any other problems?


----------



## jgribbin (Aug 29, 2006)

I think that covers my current window irritation.

Thanks much.


----------



## Cookiegal (Aug 27, 2003)

Great! You're welcome. 

I also recommend downloading  *SPYWAREBLASTER* for added protection.

*Read here* for info on how to tighten your security.

*Delete your Temporary files:*

In safe mode go to the C:\WINNT\Temp folder. Open the Temporary folder. Click on Edit - select all, then Edit - delete to empty the contents.

Next navigate to the C:\Documents and Settings\Owner\Local Settings\Temp folder. Open the Temp folder and delete everything except the *Cookies, History* and *Temporary Internet Files* folders.

*Delete your Internet Temporary Files:*

Go to Tools - Internet Options - General tab - delete temporary Internet files  put a check beside delete offline contents, then click OK

*Empty your recycle bin.*


----------

