Malware, viruses & blue screen of death [RESOLVED]

Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.

> Geeks to Go! » Security » Malware Removal - HijackThis� Logs Go Here

2 Pages

1 2 >

Malware, viruses & blue screen of death [RESOLVED], Need help

Options

marcel View Member Profile	Jul 31 2005, 08:44 AM Post #1
Member Posts: 43 OS: xp	I've followed all the instructions as required, and have attached the ewido and hijack this logs. While this computer is much better, I still get popus and occasional viruses, as well as the blue screen of death. I also get a message at boot up that it's looking for nail.exe Thanks Logfile of HijackThis v1.99.1 Scan saved at 10:25:49 AM, on 7/31/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\S24EvMon.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\WINNT\System32\RegSrvc.exe C:\WINNT\System32\RoamMgr.exe C:\WINNT\wanmpsvc.exe C:\Program Files\Intel\Switching\User\RoamSvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\TrojanHunter 4.2\THGuard.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINNT\system32\wuauclt.exe C:\WINNT\system32\??pPatch\ati2evxx.exe C:\Program Files\arae\tsad.exe C:\Program Files\Trend Micro\Tmas\Tmas.exe C:\Program Files\ewido\security suite\SecuritySuite.exe C:\WINNT\System32\wbem\wmiapsrv.exe C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe R3 - Default URLSearchHook is missing F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [gipajs] c:\winnt\system32\gipajs.exe -start O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [pfpzpvz] c:\winnt\system32\aqerrc.exe r O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [Kpubfy] C:\WINNT\system32\??pPatch\ati2evxx.exe O4 - HKCU\..\Run: [Arma] C:\Program Files\arae\tsad.exe O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409 O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail-lc-2.fordham.edu/iNotes6.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O20 - Winlogon Notify: WebCheck - C:\WINNT\system32\mvxml.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 1:24:28 AM, 7/31/2005 + Report-Checksum: E373602C + Scan result: [928] C:\WINNT\system32\mvxml.dll -> Spyware.Look2Me : Error during cleaning [2536] C:\WINNT\system32\moconf.dll -> Spyware.Look2Me : Error during cleaning C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP206\A0073027.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP206\A0073033.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP206\A0073043.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP206\A0073049.dll -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0073199.dll -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0073211.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0073243.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0073254.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074219.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074220.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074221.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074222.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074223.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074224.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074225.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074226.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074227.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074228.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074229.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074230.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074231.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074232.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074233.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074234.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074235.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074236.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074237.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074238.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074239.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074240.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074241.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074242.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074243.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074244.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074245.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074246.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074247.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074248.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074249.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074250.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074251.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074252.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074253.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074254.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074255.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074256.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074257.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074258.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074259.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074260.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074261.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074262.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074263.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074264.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074265.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074266.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074267.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074268.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074269.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074270.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074271.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074272.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074273.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074274.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074275.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074276.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074277.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074278.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074279.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074280.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074281.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074282.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074283.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074284.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074285.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074286.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074287.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074288.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074289.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074290.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074291.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074292.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074293.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074294.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074295.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074296.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074297.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074298.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074299.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074300.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074309.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074347.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074356.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074455.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074465.dll -> Spyware.Look2Me : Cleaned with backup C:\WINNT\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup C:\WINNT\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup C:\WINNT\evhsco.exe -> Adware.BetterInternet : Cleaned with backup C:\WINNT\system32\PzGuiMgr.dll -> Spyware.Look2Me : Cleaned with backup C:\WINNT\system32\vfhelper.dll -> Spyware.Look2Me : Cleaned with backup C:\WINNT\Temp\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

kool808 View Member Profile	Jul 31 2005, 09:43 AM Post #2
Visiting Staff Posts: 1,690 From: South East Asia OS: Win 98 SE, Win XP Pro	Hello and welcome to Geeks to Go! I'm kool808 and I will be helping you today. I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.

kool808 View Member Profile	Jul 31 2005, 09:50 AM Post #3
Visiting Staff Posts: 1,690 From: South East Asia OS: Win 98 SE, Win XP Pro	QUOTE Can you uninstall Trojan Hunter for a moment through Control Panel > Add/Remove programs, this is a very good program however it will consume much of the system's resources and will put us into a drag. You have lots of complex infections, however we can take them down one at a time. Trust me. One of your infection will tend to morph and change filenames so we will take a closer look on this. Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference. ++++++++++++++++++++++++++++++++++++++++++++ First: Please download ewido security suite it is a free version of the program. Install ewido security suite When installing, under "Additional Options" uncheck.. Install background guard Install scan via context menu Launch ewido, there should be an icon on your desktop, double-click it. The program will now open to the main screen. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment. You will need to update ewido to the latest definition files. On the left hand side of the main screen click update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display "Update successful") Exit ewido. DO NOT scan yet. If you are having problems with the updater, you can use this link to manually update ewido. ewido manual updates Download CCleaner and install it, but do not run it yet. Please download this file: Revised Installer for the Nailfix Utility Save it to your desktop. DO NOT run it yet. To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft: Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal. Now open ewido and do a scan of your system. Click on scanner Click on Complete System Scan and the scan will begin. NOTE: During some scans with Ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action. DO NOT select "Perform action on all infections" If you are unsure of any entry found select none for now as the action. Once the scan has completed, there will be a button located on the bottom of the screen named Save report Click Save report. Save the report .txt file to your desktop or a location where you can find it easily. (Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk") Now run HijackThis, click Scan, and place a checkmark next to each of the following items: F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe O4 - HKLM\..\Run: [pfpzpvz] c:\winnt\system32\aqerrc.exe r Close all open windows except for HJT, then click the Fix Checked button. Close HJT. NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always in in a single letter r. Be sure to View Hidden and System Files. Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold): c:\winnt\system32\aqerrc.exe (or whatever the name may have changed to, as noted above). Finally, Empty Recycle Bin Now run CCleaner. Uncheck "Cookies" under "Internet Explorer". If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox". Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run. Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply This post has been edited by kool808: Jul 31 2005, 09:52 AM

marcel View Member Profile	Jul 31 2005, 09:50 AM Post #4
Member Posts: 43 OS: xp	That was quick. Thanks!

marcel View Member Profile	Jul 31 2005, 02:17 PM Post #5
Member Posts: 43 OS: xp	Here it is: Still getting some popups Thanks again Logfile of HijackThis v1.99.1 Scan saved at 4:12:02 PM, on 7/31/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\S24EvMon.exe C:\WINNT\system32\rundll32.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\Ati2evxx.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\WINNT\system32\??pPatch\ati2evxx.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\ewido\security suite\ewidoguard.exe C:\Program Files\arae\tsad.exe C:\Program Files\Trend Micro\Tmas\Tmas.exe C:\WINNT\System32\RegSrvc.exe C:\WINNT\System32\RoamMgr.exe C:\WINNT\wanmpsvc.exe C:\Program Files\Intel\Switching\User\RoamSvc.exe C:\WINNT\system32\wuauclt.exe C:\WINNT\System32\wbem\wmiapsrv.exe C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe R3 - Default URLSearchHook is missing O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [gipajs] c:\winnt\system32\gipajs.exe -start O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q O4 - HKCU\..\Run: [Kpubfy] C:\WINNT\system32\??pPatch\ati2evxx.exe O4 - HKCU\..\Run: [Arma] C:\Program Files\arae\tsad.exe O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409 O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail-lc-2.fordham.edu/iNotes6.cab O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB O20 - Winlogon Notify: Reinstall - C:\WINNT\system32\mvxml.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 3:48:01 PM, 7/31/2005 + Report-Checksum: DC8CB608 + Scan result: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\H323TSP -> Spyware.Look2Me : Cleaned with backup [256] C:\WINNT\system32\mvxml.dll -> Spyware.Look2Me : Error during cleaning [732] C:\WINNT\system32\mticda.dll -> Spyware.Look2Me : Error during cleaning [1120] C:\WINNT\system32\mticda.dll -> Spyware.Look2Me : Error during cleaning C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP179\A0056207.exe -> Spyware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP179\A0056689.exe -> Spyware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP180\A0056784.exe -> Spyware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP180\A0057643.exe -> Spyware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP180\A0060638.exe -> Spyware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP180\A0061637.exe -> Spyware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP180\A0061840.exe -> Spyware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP180\A0061882.exe -> Spyware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP198\A0065846.exe -> Spyware.WebSearch : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP205\A0071703.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP205\A0072744.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP206\A0072889.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP206\A0072906.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP206\A0072941.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP206\A0073028.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP206\A0073044.exe.tcf -> Spyware.PurityScan : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0073212.exe.tcf -> Spyware.PurityScan : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0073214.exe -> TrojanDownloader.PurityScan.y : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0073244.exe.tcf -> Spyware.PurityScan : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0073247.exe.tcf -> Trojan.Imiserv.c : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074472.exe -> TrojanDownloader.Intexp.d : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074473.dll -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074474.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074475.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP207\A0074476.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP208\A0074489.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP208\A0074495.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP208\A0074505.dll -> Spyware.Look2Me : Cleaned with backup C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP208\A0075542.dll -> Spyware.Look2Me : Cleaned with backup C:\WINNT\dsr.exe.tcf -> Trojan.Imiserv.c : Cleaned with backup C:\WINNT\Nail.exe.tcf -> Adware.BetterInternet : Cleaned with backup C:\WINNT\Nail.exe3374.tcf -> Adware.BetterInternet : Cleaned with backup C:\WINNT\ru.exe.tcf -> Spyware.PurityScan : Cleaned with backup C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\05WHZ2TA\!update-2174[1].0000 -> Spyware.PurityScan : Cleaned with backup C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\B0T9OIUR\!update-2124[1].0000 -> Spyware.PurityScan : Cleaned with backup C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XDMAW5O5\!update-2114[1].0000 -> Spyware.Look2Me : Cleaned with backup C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XDMAW5O5\!update-2144[1].0000 -> Spyware.Look2Me : Cleaned with backup C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\XDMAW5O5\!update-2174[1].0000 -> Spyware.PurityScan : Cleaned with backup C:\WINNT\system32\djime.dll -> Spyware.Look2Me : Cleaned with backup C:\WINNT\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup C:\WINNT\Temp\Cookies\administrator@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\WINNT\Temp\Cookies\administrator@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\WINNT\Temp\Cookies\administrator@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup C:\WINNT\Temp\Cookies\administrator@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup C:\WINNT\Temp\Cookies\administrator@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup C:\WINNT\Temp\Cookies\administrator@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup C:\WINNT\Temp\Cookies\administrator@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup C:\WINNT\Temp\Cookies\administrator@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup ::Report End

marcel View Member Profile	Jul 31 2005, 02:19 PM Post #6
Member Posts: 43 OS: xp	I forgot to mention that I already had ewido downloaded. I disabled the background guard manually, but could not locate "scan via context menu'

kool808 View Member Profile	Jul 31 2005, 04:42 PM Post #7
Visiting Staff Posts: 1,690 From: South East Asia OS: Win 98 SE, Win XP Pro	QUOTE Looking good, much better now. You did it verl well. One infection down, 2 major to go... Download smitRem.zip and save the file to your desktop. Right click on the file and extract it to it's own folder on the desktop. Do NOT run it yet. Place a shortcut to Panda ActiveScan on your desktop. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup Do NOT run the scan yet! Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. (How to boot in Safe Mode...) =================================================== Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. ++++++++++++++++++++++++++++++++++++++++++++ Uninstallation We need to uninstall the following programs: Go to Control Panel > Add/Remove Programs Please locate if they exist Arae Click Uninstall Confirm with OK ++++++++++++++++++++++++++++++++++++++++++++ Open Ad-aware and do a full scan. Remove all it finds. ++++++++++++++++++++++++++++++++++++++++++++ Run Ewido: Click on scanner Click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present. ++++++++++++++++++++++++++++++++++++++++++++ Be sure to View Hidden and System Files. Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold): C:\Program Files\arae <-- whole folder C:\winnt\system32\gipajs.exe Finally, Empty Recycle Bin ++++++++++++++++++++++++++++++++++++++++++++ We will now fix the remaining problems with HijackThis. Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below: O4 - HKLM\..\Run: [gipajs] c:\winnt\system32\gipajs.exe -start O4 - HKCU\..\Run: [Arma] C:\Program Files\arae\tsad.exe Make sure to double check the items you have selected,then click Fix Checked. =================================================== Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply. Let us know if any problems persist.

marcel

Aug 1 2005, 06:02 AM

Post #8

Member

Posts: 43
OS: xp

I've completed all the steps, yet still get unwanted popups. I looked at the IE add in settings and noted that there are three BHO's installed, one from Safer Networking and 2 from PC Tools Pty. I didn't do anything with them, because with all these diagnostics I've downloaded, I'm not sure whether they are good or not.

Also, while running Panda ActiveScan, Microsoft AntiSpyware popped up with several more instances of malware. I've deleted them, and have attached the Microsoft Report as an attachment.

Here are the HijackThis, smitfiles.txt and Ewido Logs:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:34 AM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINNT\system32\??pPatch\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\System32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Kpubfy] C:\WINNT\system32\??pPatch\ati2evxx.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail-lc-2.fordham.edu/iNotes6.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: SideBySide - C:\WINNT\system32\mvxml.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

smitRem log file
version 2.2

by noahdfear

The current date is: Sun 07/31/2005
The current time is: 23:05:29.23

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

Vicodin.url

~~~ system32 folder ~~~

logfiles

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

Vicodin.url

~~~ system32 folder ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:02:07 AM, 8/1/2005
+ Report-Checksum: A0BF0FD5

+ Scan result:

[256] C:\WINNT\system32\mvxml.dll -> Spyware.Look2Me : Error during cleaning
[736] C:\WINNT\system32\wqnstrm.dll -> Spyware.Look2Me : Error during cleaning
[644] C:\WINNT\system32\wqnstrm.dll -> Spyware.Look2Me : Error during cleaning
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP208\A0075547.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP208\A0075567.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{657CAD57-1780-47DF-A227-8D19F3156604}\RP208\A0075575.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\iYshlpr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\kjdla.dll -> Spyware.Look2Me : Cleaned with backup

::Report End

Also, here is the Pandaware report:

Incident Status Location

Adware:Adware/PurityScan No disinfected C:\Program Files\arae\tsad.exe
Adware:adware/adlogix No disinfected C:\WINNT\SYSTEM32\retpdat32.xml
Adware:adware/portalscan No disinfected C:\WINNT\SYSTEM32\winupdt.008
Adware:adware/purityscan No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\!update.exe