Not sure! [RESOLVED]

Run this first...

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download and install Ewido http://www.ewido.net/en/download/
Double-click the Ewido icon on your desktop to run it.
On the top of the main screen click Shield. Click the word active to change it to inactive.
On the top of the main screen click 'Update'. Then click on 'Start update'. The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can get the manual update at http://download.ewid...ull-current.exe
When you have finished updating, exit Ewido.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingc...showtutorial=61 ).

CleanUp! deletes EVERYTHING out of your temp/temporary folders. It does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Run CleanUp! and click on the CleanUp! button. Let it run. After it's done, click the Close button and choose Yes to logoff.

Make sure all windows are closed. Run Ewido.
Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
Then click 'Apply all actions'.
Once finished, click the 'Save report' button. Then click 'Save Report As' and save it to your desktop.

Restart your computer to get back to Normal Mode. Post the Ewido report and a new HijackThis log here.

Hi greyknight17,
Thanks for offering your time and assistance.

Firstly, I would like to point out that all went well until I had to run ewido in safe mode.
Nothing would happen when I double-clicked the icon on my desktop.

Out of curiosity, I opened up task manager to attempt to start a new task and perhaps run ewido through there, however, when I looked at the running processes I realised that ewido was already running and using 100% of my CPU usage.
I took a screen shot for you, and attached it as a file attachment to this post so you can see it.

Nevertheless, the ewido process continued like that for around three minutes until an error appeared on the screen indicating that something bad occurred and a report was written to the ewido directory.

This I can provide...
The report was called ewido.err, but I am not sure if the info can help you. Here it is...

//==<ewido anti-spyware 4.0>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 00426DD6 01:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
Module Date: 06/17/2006 00:39:05
File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172
Exception Date: 07/03/2006 19:55:24

Registers:
EAX:0012E32C
EBX:01370C28
ECX:0012E344
EDX:F1DB0001
ESI:77E148E2
EDI:014F3008
CS:EIP:001B:00426DD6
SS:ESP:0023:0012E1F8 EBP:0012E38C
DS:0023 ES:0023 FS:003B GS:0000
Flags:00010246

Intel specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
00426DD6 0012E38C 00013572 0012E3B8 00000000 01370C28 0001:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
00427B42 0012E3D4 0012E990 00000001 00030088 50000000 0001:00026B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
004280DA 0012E468 0012E5F4 77E14222 00030064 00000005 0001:000270DA C:\Program Files\ewido anti-spyware 4.0\ewido.exe
77E14925 0012E488 00030064 00000005 00000000 014402C4 0001:00003925 C:\WINNT\system32\USER32.DLL

ImageHelp specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
00426DD6 0012E38C 00013572 0012E3B8 00000000 01370C28 0001:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
00427B42 0012E3D4 0012E990 00000001 00030088 50000000 0001:00026B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
004280DA 0012E468 0012E5F4 77E14222 00030064 00000005 0001:000270DA C:\Program Files\ewido anti-spyware 4.0\ewido.exe
77E14925 0012E488 00030064 00000005 00000000 014402C4 GetDC+10C

Loaded Modules:
Base Size Module
00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
77F80000 07B000 5.00.2195.6685 C:\WINNT\system32\ntdll.dll
690A0000 00B000 5.00.2134.0001 C:\WINNT\system32\PSAPI.DLL
7C4E0000 0B9000 5.00.2195.6688 C:\WINNT\system32\KERNEL32.DLL
10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll
70BD0000 065000 6.00.2800.1106 C:\WINNT\system32\SHLWAPI.dll
78000000 045000 6.01.9844.0000 C:\WINNT\system32\msvcrt.dll
77F40000 03C000 5.00.2195.6660 C:\WINNT\system32\GDI32.dll
77E10000 065000 5.00.2195.6688 C:\WINNT\system32\USER32.DLL
7C2D0000 062000 5.00.2195.6710 C:\WINNT\system32\ADVAPI32.dll
77D30000 071000 5.00.2195.6701 C:\WINNT\system32\RPCRT4.DLL
75030000 014000 5.00.2195.6601 C:\WINNT\system32\WS2_32.dll
75020000 008000 5.00.2134.0001 C:\WINNT\system32\WS2HELP.DLL
77570000 030000 5.00.2161.0001 C:\WINNT\system32\WINMM.dll
782F0000 248000 5.00.3700.6705 C:\WINNT\system32\SHELL32.dll
71710000 084000 5.81.4916.0400 C:\WINNT\system32\COMCTL32.DLL
6B2C0000 005000 5.00.2180.0001 C:\WINNT\system32\MSIMG32.dll
76B30000 03E000 5.00.3700.6693 C:\WINNT\system32\comdlg32.dll
77A50000 0F7000 5.00.2195.6692 C:\WINNT\system32\ole32.dll
75050000 008000 5.00.2195.6603 C:\WINNT\system32\WSOCK32.dll
77340000 013000 5.00.2195.6602 C:\WINNT\system32\iphlpapi.dll
77520000 005000 5.00.2134.0001 C:\WINNT\system32\ICMP.DLL
77320000 017000 5.00.2181.0001 C:\WINNT\system32\MPRAPI.DLL
75150000 00F000 5.00.2195.6666 C:\WINNT\system32\SAMLIB.DLL
75170000 04F000 5.00.2195.6601 C:\WINNT\system32\NETAPI32.DLL
7C340000 00F000 5.00.2195.6695 C:\WINNT\system32\SECUR32.DLL
751C0000 006000 5.00.2134.0001 C:\WINNT\system32\NETRAP.DLL
77950000 02A000 5.00.2195.6666 C:\WINNT\system32\WLDAP32.DLL
77980000 024000 5.00.2195.6680 C:\WINNT\system32\DNSAPI.DLL
779B0000 09B000 2.40.4522.0000 C:\WINNT\system32\OLEAUT32.DLL
773B0000 02F000 5.00.2195.6601 C:\WINNT\system32\ACTIVEDS.DLL
77380000 023000 5.00.2195.6701 C:\WINNT\system32\ADSLDPC.DLL
77830000 00E000 5.00.2168.0001 C:\WINNT\system32\RTUTILS.DLL
77880000 08E000 5.00.2195.6622 C:\WINNT\system32\SETUPAPI.DLL
7C0F0000 062000 5.00.2195.6711 C:\WINNT\system32\USERENV.DLL
774E0000 033000 5.00.2195.6625 C:\WINNT\system32\RASAPI32.DLL
774C0000 011000 5.00.2195.6604 C:\WINNT\system32\RASMAN.DLL
77530000 022000 5.00.2195.6664 C:\WINNT\system32\TAPI32.DLL
77360000 019000 5.00.2195.6685 C:\WINNT\system32\DHCPCSVC.DLL
77820000 007000 5.00.2195.6623 C:\WINNT\system32\VERSION.dll
759B0000 006000 5.00.2195.6611 C:\WINNT\system32\LZ32.DLL
775A0000 086000 2000.02.3504.0000 C:\WINNT\system32\CLBCATQ.DLL
77840000 03E000 5.00.2195.6705 C:\WINNT\system32\cscui.dll
770C0000 023000 5.00.2195.6713 C:\WINNT\system32\CSCDLL.DLL
72A00000 02D000 5.00.2195.6613 C:\WINNT\system32\DBGHELP.DLL

//==<ewido anti-spyware 4.0>===================================
Exception code: C0000005 ACCESS_VIOLATION
Fault address: 00426DD6 01:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
Module Date: 06/17/2006 00:39:05
File Version of C:\Program Files\ewido anti-spyware 4.0\ewido.exe: 4.0.0.172
Exception Date: 07/03/2006 19:58:59

Registers:
EAX:0012E32C
EBX:01370B90
ECX:0012E344
EDX:05230001
ESI:77E148E2
EDI:014F3008
CS:EIP:001B:00426DD6
SS:ESP:0023:0012E1F8 EBP:0012E38C
DS:0023 ES:0023 FS:003B GS:0000
Flags:00010246

Intel specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Logical addr Module
00426DD6 0012E38C 0001359E 0012E3B8 00000000 01370B90 0001:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
00427B42 0012E3D4 0012E990 00000001 00040088 50000000 0001:00026B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
004280DA 0012E468 0012E5F4 77E14222 000700B6 00000005 0001:000270DA C:\Program Files\ewido anti-spyware 4.0\ewido.exe
77E14925 0012E488 000700B6 00000005 00000000 014402C4 0001:00003925 C:\WINNT\system32\USER32.DLL

ImageHelp specific method

Call stack:
Address Frame Param 0 Param 1 Param 2 Param 3 Symbol/Logical address
00426DD6 0012E38C 0001359E 0012E3B8 00000000 01370B90 0001:00025DD6 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
00427B42 0012E3D4 0012E990 00000001 00040088 50000000 0001:00026B42 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
004280DA 0012E468 0012E5F4 77E14222 000700B6 00000005 0001:000270DA C:\Program Files\ewido anti-spyware 4.0\ewido.exe
77E14925 0012E488 000700B6 00000005 00000000 014402C4 GetDC+10C

Loaded Modules:
Base Size Module
00400000 609000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\ewido.exe
77F80000 07B000 5.00.2195.6685 C:\WINNT\system32\ntdll.dll
690A0000 00B000 5.00.2134.0001 C:\WINNT\system32\PSAPI.DLL
7C4E0000 0B9000 5.00.2195.6688 C:\WINNT\system32\KERNEL32.DLL
10000000 0E3000 4.00.0000.0172 C:\Program Files\ewido anti-spyware 4.0\engine.dll
70BD0000 065000 6.00.2800.1106 C:\WINNT\system32\SHLWAPI.dll
78000000 045000 6.01.9844.0000 C:\WINNT\system32\msvcrt.dll
77F40000 03C000 5.00.2195.6660 C:\WINNT\system32\GDI32.dll
77E10000 065000 5.00.2195.6688 C:\WINNT\system32\USER32.DLL
7C2D0000 062000 5.00.2195.6710 C:\WINNT\system32\ADVAPI32.dll
77D30000 071000 5.00.2195.6701 C:\WINNT\system32\RPCRT4.DLL
75030000 014000 5.00.2195.6601 C:\WINNT\system32\WS2_32.dll
75020000 008000 5.00.2134.0001 C:\WINNT\system32\WS2HELP.DLL
77570000 030000 5.00.2161.0001 C:\WINNT\system32\WINMM.dll
782F0000 248000 5.00.3700.6705 C:\WINNT\system32\SHELL32.dll
71710000 084000 5.81.4916.0400 C:\WINNT\system32\COMCTL32.DLL
6B2C0000 005000 5.00.2180.0001 C:\WINNT\system32\MSIMG32.dll
76B30000 03E000 5.00.3700.6693 C:\WINNT\system32\comdlg32.dll
77A50000 0F7000 5.00.2195.6692 C:\WINNT\system32\ole32.dll
75050000 008000 5.00.2195.6603 C:\WINNT\system32\WSOCK32.dll
77340000 013000 5.00.2195.6602 C:\WINNT\system32\iphlpapi.dll
77520000 005000 5.00.2134.0001 C:\WINNT\system32\ICMP.DLL
77320000 017000 5.00.2181.0001 C:\WINNT\system32\MPRAPI.DLL
75150000 00F000 5.00.2195.6666 C:\WINNT\system32\SAMLIB.DLL
75170000 04F000 5.00.2195.6601 C:\WINNT\system32\NETAPI32.DLL
7C340000 00F000 5.00.2195.6695 C:\WINNT\system32\SECUR32.DLL
751C0000 006000 5.00.2134.0001 C:\WINNT\system32\NETRAP.DLL
77950000 02A000 5.00.2195.6666 C:\WINNT\system32\WLDAP32.DLL
77980000 024000 5.00.2195.6680 C:\WINNT\system32\DNSAPI.DLL
779B0000 09B000 2.40.4522.0000 C:\WINNT\system32\OLEAUT32.DLL
773B0000 02F000 5.00.2195.6601 C:\WINNT\system32\ACTIVEDS.DLL
77380000 023000 5.00.2195.6701 C:\WINNT\system32\ADSLDPC.DLL
77830000 00E000 5.00.2168.0001 C:\WINNT\system32\RTUTILS.DLL
77880000 08E000 5.00.2195.6622 C:\WINNT\system32\SETUPAPI.DLL
7C0F0000 062000 5.00.2195.6711 C:\WINNT\system32\USERENV.DLL
774E0000 033000 5.00.2195.6625 C:\WINNT\system32\RASAPI32.DLL
774C0000 011000 5.00.2195.6604 C:\WINNT\system32\RASMAN.DLL
77530000 022000 5.00.2195.6664 C:\WINNT\system32\TAPI32.DLL
77360000 019000 5.00.2195.6685 C:\WINNT\system32\DHCPCSVC.DLL
77820000 007000 5.00.2195.6623 C:\WINNT\system32\VERSION.dll
759B0000 006000 5.00.2195.6611 C:\WINNT\system32\LZ32.DLL
775A0000 086000 2000.02.3504.0000 C:\WINNT\system32\CLBCATQ.DLL
77840000 03E000 5.00.2195.6705 C:\WINNT\system32\cscui.dll
770C0000 023000 5.00.2195.6713 C:\WINNT\system32\CSCDLL.DLL
72A00000 02D000 5.00.2195.6613 C:\WINNT\system32\DBGHELP.DLL

If you have any suggestions as to what I can do now, please let me know.
In the meantime, I will try again with the scan in safe mode.

Cheers,

BV

Try running Ewido again. Do it in Normal Mode if it's still giving you problems. Or, end the process in Task Manager and try running it manually again by double clicking on the icon.

Please print the below instructions or copy them to Notepad.

Download KillBox http://www.greyknigh...spy/KillBox.exe.

Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingc...showtutorial=61 ). Make sure to close any internet browsers that may still be open.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\WINNT\SERVICES.EXE

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINNT\SERVICES.EXE

If you get a PendingOperations message, just close it and restart your computer manually.

Restart. Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply along with a new HijackThis log.

Hi there,
OK let's see. I booted up my PC so I can go online, see your response and save as txt file.
During the PC boot, that cmd window opened up and I closed it immediately as I always do.
About a minute later, ewido alerted me to an infected file in c:\winnt\services and I clicked on the recommended action 'clean and quarantine'.
Then I followed your instructions.
Couldn't start ewido in safe mode, same problem.
Ran hijackthis, ticked those 2 suggested items and cliked on Fix Checked!
Then, Killbox gave me that PendingOperations msg.

Then I rebooted into normal mode and realised that the cmd window no longer appeared, so it seems ewido did something worthwhile. Maybe this software is worth buying if it picks up on things that other AV progs don't.

Anyway, here are the 2 scan logs you requested...what now?
Please note that the Hijackthis log was saved before I ticked the two items suggested and clicked Fix Checked!
If I ran another scan and log now it probably wouldn't show those two entries (in red).

Logfile of HijackThis v1.99.1
Scan saved at 10:58:28 PM, on 4/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
D:\Virus Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\WINNT\SERVICES.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Anvshell] C:\WINNT\Anvshell.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.street-directory.com.au
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


PANDA

Incident Status Location

Adware:adware/secure32 Not disinfected c:\winnt\secure32.html
Adware:adware/cws.searchmeup Not disinfected c:\winnt\toolbar.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-481293e4-2680bc99.zip[NewSecurityClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-481293e4-2680bc99.zip[NewURLClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv661.jar-897c2ff-14d24fa3.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv732.jar-74d208d8-7d975f22.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv732.jar-74d208d8-7d975f22.zip[Dummy.class]
Potentially unwanted tool:Application/Processor Not disinfected D:\Virus Stuff\smitfraud.exe[Process.exe]

Now where to?
Cheers

BV

There's no point giving us the log before the fix. You gave that to us in your original topic already. Please give us the NEW log only after you did the fixes and it should be from Normal Mode.

Print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.
If you have Java 1.5, do this instead. Start->Control Panel->Java->Settings->Delete Files and click OK and OK.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

If running CleanUp! for the first time, it will ask you if you want to run it in Demo Mode. Don't run it in Demo mode...we want to do the actual cleanup now. CleanUp! deletes EVERYTHING out of your temp/temporary folders. It will also delete the cookie files. It does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Run CleanUp! and click on the CleanUp! button. Let it run. After it's done, click the Close button and choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,,C:\WINNT\SERVICES.EXE

Delete these:

c:\winnt\secure32.html
c:\winnt\toolbar.exe
C:\WINNT\SERVICES.EXE

Run the smitRem.exe tool you downloaded earlier. There should be a folder called smitrem created on your desktop. Open it and double click on the RunThis file. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Post that log along with all others requested in your next reply.

Make sure all windows are closed. Run Ewido.
Click 'Scanner'. Then click 'Complete System Scan' to begin scanning.
When the scan is complete click 'Recommended Action' and change it to 'Quarantine'.
Then click 'Apply all actions'.
Once finished, click the 'Save report' button. Then click 'Save Report As' and save it to your desktop.

Right click on your desktop and go to Properties. Then go to the Desktop tab and click on Customize Desktop. Go to the Web tab and delete everything there except My Current Home Page (which should be unchecked). Click OK.

Restart your computer to get back to Normal Mode and run another Panda scan.

Then post the Panda log here along with the logs for smitfiles.txt and a new HijackThis log.

See if you can run Ewido now.

Hi,
As a matter of interest, I did as you requested which is why that hijack log in the previous post didn't show those 2 entries as deleted.

Nevermind, as I guessed with the latest log it seems to have removed them.
Anyway, here are all the logs you requested...and I did them in the order you requested.

FYI, I still cannot run ewido in safe mode. Not sure what the issue is there.

Here are the logs...

PANDA

Incident Status Location

Adware:adware/cws.searchmeup Not disinfected c:\winnt\uniq
Potentially unwanted tool:Application/Processor Not disinfected D:\Virus Stuff\smitfraud.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\Virus Stuff\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\Virus Stuff\smitRem.exe[smitRem/Process.exe]
EWIDO

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:30:17 PM 8/07/2006

+ Scan result:



Nothing found.



::Report end


SMITREM


smitRem © log file
version 3.0

by noahdfear


Microsoft Windows 2000 [Version 5.00.2195]
"IE"="6.0000"
The current date is: Sat 08/07/2006
The current time is: 20:08:01.25

Running from
C:\Documents and Settings\Administrator\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

amcompat.tlb
nscompat.tlb


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 484 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN!


HIJACK

Logfile of HijackThis v1.99.1
Scan saved at 10:32:38 PM, on 8/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\Anvshell.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
D:\Virus Stuff\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Anvshell] C:\WINNT\Anvshell.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - Global Startup: gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.street-directory.com.au
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Service (NISSERV) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Internet Security Proxy Service (SymProxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Out of curiosity, do you know why there are 3 instances of C:\WINNT\System32\svchost.exe running?

OK, now what?

Cheers,

BV

Yes, that's normal. In a lot of cases, there may be 4 or 5 svchost.exe processes running. It's commonly used...

Delete this folder:

c:\winnt\uniq

Restart and run Panda again. Is anything else still found besides SmitfraudFix files? If not, then:

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

OK, deleted that file and completed another scan.
Here's the result...


Incident Status Location

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[2].txt
Potentially unwanted tool:Application/Processor Not disinfected D:\Virus Stuff\smitfraud.exe[Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected D:\Virus Stuff\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected D:\Virus Stuff\smitRem.exe[smitRem/Process.exe]

Other than this, everything else looks fine.
What should I do about the result?

Cheers,

BV

It's just a cookie file. You may delete it. It will most likely return when you visit other sites with ads in them. Just clean out your cookie files regularly. Nothing to worry about. Use CleanUp that you downloaded earlier to do this if you want.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.