Trojan Horse Downloader.Agent [RESOLVED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

Trojan Horse Downloader.Agent [RESOLVED]

Options

honkin View Member Profile	Nov 14 2005, 04:52 PM Post #1
New Member Posts: 7 OS: XP SP2	Hi I originally had the Trojan Startpage.19.AO and posted a topic on that, but used the advice found in this forum and it appears to be gone. Ran Cleanup, Ad-aware SE, CWShredder, Spybot, Ewido, Trojan Hunter, AVG. Startpage appears to be gone and now be replaced by Downlaoder.Agent. I have spent hours on this and am getting frustrated. Now when I just rebooted from Safe Mode, AVG says I have Trojan Horse Downloader.Agent.AQU, though the last letter changes occasionally - it was AQW 5 minutes ago. Every 30 seconds a new warning comes from AVG with a new filename indicated. They are all located in the c:\Windows folder - eg: c:\Windows\msmm32.dll Here is my Hijack This log. Logfile of HijackThis v1.99.1 Scan saved at 9:23:48 AM, on 15/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\atlwe32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe e:\Program Files\ewido\security suite\ewidoctrl.exe e:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\alg.exe E:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\SOUNDMAN.EXE E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\Winamp\winampa.exe C:\NOSPY.ORG\start1.exe C:\WINDOWS\ierp32.exe e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe E:\Program Files\PeerGuardian2\pg2.exe E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe E:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe E:\Program Files\WinZip\WZQKPICK.EXE E:\Program Files\SpamBayes\bin\sb_tray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE e:\Program Files\Real\RealPlayer\RealPlay.exe F:\FTPRoot\usr\Zip Files\Virus Trojan Spyware etc\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au R3 - Default URLSearchHook is missing O2 - BHO: Class - {02D4A6D4-9A5A-9DD8-7DD4-5C2F02AD2717} - C:\WINDOWS\system32\ntsv32.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {0FC10DA6-621C-EEAE-0E43-CB4CCFC5B848} - C:\WINDOWS\system32\winpg.dll (file missing) O2 - BHO: Class - {137FBD76-C94E-29D8-CB88-FB29E07E3C8E} - C:\WINDOWS\system32\crca32.dll (file missing) O2 - BHO: Class - {14B627E8-FA46-6393-8D1A-01478E0D9C0A} - C:\WINDOWS\ntmx32.dll (file missing) O2 - BHO: Class - {14CE5B7A-6546-0088-A736-F486C8A0A93F} - C:\WINDOWS\msek32.dll (file missing) O2 - BHO: Class - {19AA31BF-1750-E89C-CB6E-11F9A6477CE9} - C:\WINDOWS\system32\d3ki32.dll (file missing) O2 - BHO: Class - {262B7B86-55DB-32CD-522E-D1E8CDEC3BFE} - C:\WINDOWS\system32\netjt32.dll (file missing) O2 - BHO: Class - {2D86D49A-0E10-CAE7-291B-D83BA5AD0087} - C:\WINDOWS\ntyh.dll (file missing) O2 - BHO: Class - {30938316-DC58-DA9C-B4D3-C652FBD3DBEF} - C:\WINDOWS\addab.dll (file missing) O2 - BHO: (no name) - {3DEE124E-EBB2-00C2-E596-DBCA1510C177} - (no file) O2 - BHO: Class - {4CB9FE89-C678-F47B-2F95-B7988A0FC10D} - C:\WINDOWS\system32\netra.dll (file missing) O2 - BHO: Class - {4D1C7E59-FDEE-E7E8-D0E4-2CA28A50B796} - C:\WINDOWS\ieyg32.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Class - {568F19C5-53C8-85F1-FD40-5AC40D3DE0DA} - C:\WINDOWS\system32\javagd.dll (file missing) O2 - BHO: Class - {5899D6C8-2875-45AF-8736-13BE0C3BA5EC} - C:\WINDOWS\system32\addlo32.dll (file missing) O2 - BHO: Class - {6C7405AE-7CE7-A0CE-827C-F77DFA449D8D} - C:\WINDOWS\system32\appua32.dll (file missing) O2 - BHO: Class - {78545376-8241-C7E5-C71F-6A2E42322ADF} - C:\WINDOWS\system32\netpa.dll (file missing) O2 - BHO: Class - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\nethx32.dll (file missing) O2 - BHO: Class - {7B315180-F3AA-843E-BFD5-2B630CDC0D67} - C:\WINDOWS\netev32.dll (file missing) O2 - BHO: Class - {7D80F0E3-D853-E15E-FD62-366068538F6E} - C:\WINDOWS\system32\ieqn32.dll (file missing) O2 - BHO: Class - {7E678766-5C45-3E67-EFD2-B3449A8C2A69} - C:\WINDOWS\winnk.dll (file missing) O2 - BHO: Class - {85D798A6-2F83-A50C-5B26-F3BCDD880ABD} - C:\WINDOWS\crih.dll (file missing) O2 - BHO: Class - {A010DBE2-CC3D-9634-88DD-0AC37058D49B} - C:\WINDOWS\system32\netei32.dll (file missing) O2 - BHO: Class - {A4C18C6B-56A7-927D-630C-D7557B18963E} - C:\WINDOWS\system32\mstl.dll (file missing) O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Class - {AF02D6F5-E10D-4B29-B7AB-E057280C0CDC} - C:\WINDOWS\system32\d3gh.dll (file missing) O2 - BHO: Class - {B1226024-595B-F768-1697-EFEE2A97E5C8} - C:\WINDOWS\system32\sysmk.dll (file missing) O2 - BHO: Class - {B990B770-D62A-B542-EDA6-516033B76258} - C:\WINDOWS\javafz.dll (file missing) O2 - BHO: Class - {C012ED91-D21E-BC95-430B-8D4A44A3BDA5} - C:\WINDOWS\system32\ipyu.dll (file missing) O2 - BHO: Class - {C3AAEC67-F763-AFDD-7B89-B292B7DC615D} - C:\WINDOWS\system32\netaq32.dll (file missing) O2 - BHO: Class - {C4790940-96EC-3F25-4A2F-F6BF035B6FD5} - C:\WINDOWS\system32\sysep.dll (file missing) O2 - BHO: (no name) - {C8004A51-B1C6-2B52-CE97-BA80D6D6C5DB} - (no file) O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll (file missing) O2 - BHO: Class - {D883F4CC-A8EE-9040-1995-5458D21F8391} - C:\WINDOWS\system32\netnu32.dll (file missing) O2 - BHO: Class - {D9C0B1C1-84B5-7F4A-70E8-5A3C089B2899} - C:\WINDOWS\system32\sdkxr.dll (file missing) O2 - BHO: Class - {E3BB58FA-9E29-5453-8515-DD85FF9C16C7} - C:\WINDOWS\system32\ienw32.dll (file missing) O2 - BHO: Class - {F0D80D9E-EC18-2B52-399F-E70AEDFC8E18} - C:\WINDOWS\winef32.dll (file missing) O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\atlog.dll (file missing) O2 - BHO: Class - {F3DF3C5A-2566-083E-2CA1-07FE7B5682F8} - C:\WINDOWS\system32\sdkga32.dll (file missing) O2 - BHO: Class - {F7C42564-EA95-5F04-2382-4C97CB847F28} - C:\WINDOWS\sdkgz32.dll (file missing) O2 - BHO: Class - {FE13BDB7-4403-0563-A91B-7E8970E72CF7} - C:\WINDOWS\system32\ipsf32.dll (file missing) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [mswc.exe] C:\WINDOWS\system32\mswc.exe O4 - HKLM\..\Run: [mslb32.exe] C:\WINDOWS\system32\mslb32.exe O4 - HKLM\..\Run: [d3zn32.exe] C:\WINDOWS\d3zn32.exe O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe O4 - HKLM\..\Run: [winsj.exe] C:\WINDOWS\system32\winsj.exe O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check O4 - HKLM\..\Run: [ierp32.exe] C:\WINDOWS\ierp32.exe O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131673724281 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O23 - Service: Remote Procedure Call (RPC) Helper ( 11F咪#泛闹`I) - Unknown owner - C:\WINDOWS\atlwe32.exe" /s (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Trevuren View Member Profile	Nov 14 2005, 10:36 PM Post #2
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	Hi honkin and welcome to the Geeks to Go Forums. My name is Trevuren and I will be helping you with your log. You have a serious About Blank infection which will require a bit of work on both our parts to completely eradicate. 1. Please DELETE your current HJT program from its present location. 2. Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process! Run HijackThis Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy') POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste') DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER Regards, Trevuren This post has been edited by Trevuren: Nov 14 2005, 10:37 PM

honkin View Member Profile	Nov 14 2005, 11:41 PM Post #3
New Member Posts: 7 OS: XP SP2	Cheers Trevuren. Glad to get some help as I have been pulling my hair out. Yes, it started as about:blank just changing my homepage and giving me warnings in AVG, but I have a program stopping my homepage from being changed. It is called Startpage Spyware Removal Tool for IE. Doesn't really seem to remove anything, though. Just locks the homepage. After that the Startpage was being detected by AVG, until only a couple of days ago when it started warning of the Downloader.Agent. Incidentally, Hijack This was always running in a separate folder, on the F: drive. Should have been working fine. I just don't install any programs on my C: drive. It is partitioned as an OS partition only. Most proggies are on the E: drive. Have now installed it on the C: drive as per your request, though. I don't know if this helps at all, but there are also 3 entries in Add/Remove Programs which I have tried to remove for quite a while. One is Home Search Assitant, which sends me to a website when I try to uninstall it. Needless to say it does not uninstall. Another is Shopping Wizard, which takes me to the same website and the last one is called Search Extender which does the same thing. Don't know if they are part of the same problem, but worth telling you. Also, a security log in Sygate tells me of a persistent file - C:\Windows\ierp32.exe which keeps attempting to use IE to do something relating to u47.cc - which I think is a known virus. I have it blocked, but would love to have it gone. Here is the new log: Logfile of HijackThis v1.99.1 Scan saved at 4:23:37 PM, on 15/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\atlwe32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe e:\Program Files\ewido\security suite\ewidoctrl.exe e:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\alg.exe E:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\SOUNDMAN.EXE E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\Winamp\winampa.exe C:\NOSPY.ORG\start1.exe C:\WINDOWS\ierp32.exe e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe E:\Program Files\PeerGuardian2\pg2.exe E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe E:\Program Files\Nikon\NkView6\NkvMon.exe C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe E:\Program Files\WinZip\WZQKPICK.EXE E:\Program Files\SpamBayes\bin\sb_tray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\WISPTIS.EXE C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au R3 - Default URLSearchHook is missing O2 - BHO: Class - {02D4A6D4-9A5A-9DD8-7DD4-5C2F02AD2717} - C:\WINDOWS\system32\ntsv32.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Class - {0FC10DA6-621C-EEAE-0E43-CB4CCFC5B848} - C:\WINDOWS\system32\winpg.dll (file missing) O2 - BHO: Class - {137FBD76-C94E-29D8-CB88-FB29E07E3C8E} - C:\WINDOWS\system32\crca32.dll (file missing) O2 - BHO: Class - {14B627E8-FA46-6393-8D1A-01478E0D9C0A} - C:\WINDOWS\ntmx32.dll (file missing) O2 - BHO: Class - {14CE5B7A-6546-0088-A736-F486C8A0A93F} - C:\WINDOWS\msek32.dll (file missing) O2 - BHO: Class - {19AA31BF-1750-E89C-CB6E-11F9A6477CE9} - C:\WINDOWS\system32\d3ki32.dll (file missing) O2 - BHO: Class - {262B7B86-55DB-32CD-522E-D1E8CDEC3BFE} - C:\WINDOWS\system32\netjt32.dll (file missing) O2 - BHO: Class - {2D86D49A-0E10-CAE7-291B-D83BA5AD0087} - C:\WINDOWS\ntyh.dll (file missing) O2 - BHO: Class - {30938316-DC58-DA9C-B4D3-C652FBD3DBEF} - C:\WINDOWS\addab.dll (file missing) O2 - BHO: (no name) - {3DEE124E-EBB2-00C2-E596-DBCA1510C177} - (no file) O2 - BHO: Class - {4CB9FE89-C678-F47B-2F95-B7988A0FC10D} - C:\WINDOWS\system32\netra.dll (file missing) O2 - BHO: Class - {4D1C7E59-FDEE-E7E8-D0E4-2CA28A50B796} - C:\WINDOWS\ieyg32.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Class - {568F19C5-53C8-85F1-FD40-5AC40D3DE0DA} - C:\WINDOWS\system32\javagd.dll (file missing) O2 - BHO: Class - {5899D6C8-2875-45AF-8736-13BE0C3BA5EC} - C:\WINDOWS\system32\addlo32.dll (file missing) O2 - BHO: Class - {6C7405AE-7CE7-A0CE-827C-F77DFA449D8D} - C:\WINDOWS\system32\appua32.dll (file missing) O2 - BHO: Class - {78545376-8241-C7E5-C71F-6A2E42322ADF} - C:\WINDOWS\system32\netpa.dll (file missing) O2 - BHO: Class - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\nethx32.dll (file missing) O2 - BHO: Class - {7B315180-F3AA-843E-BFD5-2B630CDC0D67} - C:\WINDOWS\netev32.dll (file missing) O2 - BHO: Class - {7D80F0E3-D853-E15E-FD62-366068538F6E} - C:\WINDOWS\system32\ieqn32.dll (file missing) O2 - BHO: Class - {7E678766-5C45-3E67-EFD2-B3449A8C2A69} - C:\WINDOWS\winnk.dll (file missing) O2 - BHO: Class - {85D798A6-2F83-A50C-5B26-F3BCDD880ABD} - C:\WINDOWS\crih.dll (file missing) O2 - BHO: Class - {A010DBE2-CC3D-9634-88DD-0AC37058D49B} - C:\WINDOWS\system32\netei32.dll (file missing) O2 - BHO: Class - {A4C18C6B-56A7-927D-630C-D7557B18963E} - C:\WINDOWS\system32\mstl.dll (file missing) O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Class - {AF02D6F5-E10D-4B29-B7AB-E057280C0CDC} - C:\WINDOWS\system32\d3gh.dll (file missing) O2 - BHO: Class - {B1226024-595B-F768-1697-EFEE2A97E5C8} - C:\WINDOWS\system32\sysmk.dll (file missing) O2 - BHO: Class - {B990B770-D62A-B542-EDA6-516033B76258} - C:\WINDOWS\javafz.dll (file missing) O2 - BHO: Class - {C012ED91-D21E-BC95-430B-8D4A44A3BDA5} - C:\WINDOWS\system32\ipyu.dll (file missing) O2 - BHO: Class - {C3AAEC67-F763-AFDD-7B89-B292B7DC615D} - C:\WINDOWS\system32\netaq32.dll (file missing) O2 - BHO: Class - {C4790940-96EC-3F25-4A2F-F6BF035B6FD5} - C:\WINDOWS\system32\sysep.dll (file missing) O2 - BHO: (no name) - {C8004A51-B1C6-2B52-CE97-BA80D6D6C5DB} - (no file) O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll (file missing) O2 - BHO: Class - {D883F4CC-A8EE-9040-1995-5458D21F8391} - C:\WINDOWS\system32\netnu32.dll (file missing) O2 - BHO: Class - {D9C0B1C1-84B5-7F4A-70E8-5A3C089B2899} - C:\WINDOWS\system32\sdkxr.dll (file missing) O2 - BHO: Class - {E3BB58FA-9E29-5453-8515-DD85FF9C16C7} - C:\WINDOWS\system32\ienw32.dll (file missing) O2 - BHO: Class - {F0D80D9E-EC18-2B52-399F-E70AEDFC8E18} - C:\WINDOWS\winef32.dll (file missing) O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\atlog.dll (file missing) O2 - BHO: Class - {F3DF3C5A-2566-083E-2CA1-07FE7B5682F8} - C:\WINDOWS\system32\sdkga32.dll (file missing) O2 - BHO: Class - {F7C42564-EA95-5F04-2382-4C97CB847F28} - C:\WINDOWS\sdkgz32.dll (file missing) O2 - BHO: Class - {FE13BDB7-4403-0563-A91B-7E8970E72CF7} - C:\WINDOWS\system32\ipsf32.dll (file missing) O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [mswc.exe] C:\WINDOWS\system32\mswc.exe O4 - HKLM\..\Run: [mslb32.exe] C:\WINDOWS\system32\mslb32.exe O4 - HKLM\..\Run: [d3zn32.exe] C:\WINDOWS\d3zn32.exe O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe O4 - HKLM\..\Run: [winsj.exe] C:\WINDOWS\system32\winsj.exe O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check O4 - HKLM\..\Run: [ierp32.exe] C:\WINDOWS\ierp32.exe O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131673724281 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O23 - Service: Remote Procedure Call (RPC) Helper ( 11F咪#泛闹`I) - Unknown owner - C:\WINDOWS\atlwe32.exe" /s (file missing) O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Trevuren View Member Profile	Nov 15 2005, 12:26 AM Post #4
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	Your system is infected with a variant of the About:Blank infection. 1. First we must STOP, and Disable a bad Added Service Click Start>Run and type in: services.msc Click OK In the Services window find: Remote Procedure Call (RPC) Helper Select/highlight and right click the entry, and choose: Properties On the General tab, under Service Status click the Stop button Beside: Startup Type, in the drop menu, select: Disabled Click Apply, then OK 2. Download CWShredder Click check for updates. Do not use it yet. 3. Download Aboutbuster 5 Create a new folder on your desktop and call it AB Extract [ALL] the files from the AboutBuster.zip file into this new Folder Click on Updates to ensure you are working with the most current version Do not use it yet. 4. Download: HomeSearchfix. Unzip it to your desktop. Do not use it yet. *Take care: some files can be hidden, so first go to start > control panel > folder options > view (tab) > mark 搒how hidden files en extensions >OK* Please print out these directions for in safe mode you will have to be disconnected from the internet. You should entirely disconnect (UNPLUG) from the internet!!! 5. Reboot your system into safe mode for all OS 6. Close all windows and open HijackThis. Click "scan only� in the main window Put a checkmark beside the following entries and click �FIX checked�. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R3 - Default URLSearchHook is missing O2 - BHO: Class - {02D4A6D4-9A5A-9DD8-7DD4-5C2F02AD2717} - C:\WINDOWS\system32\ntsv32.dll (file missing) O2 - BHO: Class - {0FC10DA6-621C-EEAE-0E43-CB4CCFC5B848} - C:\WINDOWS\system32\winpg.dll (file missing) O2 - BHO: Class - {137FBD76-C94E-29D8-CB88-FB29E07E3C8E} - C:\WINDOWS\system32\crca32.dll (file missing) O2 - BHO: Class - {14B627E8-FA46-6393-8D1A-01478E0D9C0A} - C:\WINDOWS\ntmx32.dll (file missing) O2 - BHO: Class - {14CE5B7A-6546-0088-A736-F486C8A0A93F} - C:\WINDOWS\msek32.dll (file missing) O2 - BHO: Class - {19AA31BF-1750-E89C-CB6E-11F9A6477CE9} - C:\WINDOWS\system32\d3ki32.dll (file missing) O2 - BHO: Class - {262B7B86-55DB-32CD-522E-D1E8CDEC3BFE} - C:\WINDOWS\system32\netjt32.dll (file missing) O2 - BHO: Class - {2D86D49A-0E10-CAE7-291B-D83BA5AD0087} - C:\WINDOWS\ntyh.dll (file missing) O2 - BHO: Class - {30938316-DC58-DA9C-B4D3-C652FBD3DBEF} - C:\WINDOWS\addab.dll (file missing) O2 - BHO: (no name) - {3DEE124E-EBB2-00C2-E596-DBCA1510C177} - (no file) O2 - BHO: Class - {4D1C7E59-FDEE-E7E8-D0E4-2CA28A50B796} - C:\WINDOWS\ieyg32.dll (file missing) O2 - BHO: Class - {568F19C5-53C8-85F1-FD40-5AC40D3DE0DA} - C:\WINDOWS\system32\javagd.dll (file missing) O2 - BHO: Class - {5899D6C8-2875-45AF-8736-13BE0C3BA5EC} - C:\WINDOWS\system32\addlo32.dll (file missing) O2 - BHO: Class - {6C7405AE-7CE7-A0CE-827C-F77DFA449D8D} - C:\WINDOWS\system32\appua32.dll (file missing) O2 - BHO: Class - {78545376-8241-C7E5-C71F-6A2E42322ADF} - C:\WINDOWS\system32\netpa.dll (file missing) O2 - BHO: Class - {7A00499E-BCBB-B127-9B94-C5DF5086E096} - C:\WINDOWS\nethx32.dll (file missing) O2 - BHO: Class - {7B315180-F3AA-843E-BFD5-2B630CDC0D67} - C:\WINDOWS\netev32.dll (file missing) O2 - BHO: Class - {7D80F0E3-D853-E15E-FD62-366068538F6E} - C:\WINDOWS\system32\ieqn32.dll (file missing) O2 - BHO: Class - {7E678766-5C45-3E67-EFD2-B3449A8C2A69} - C:\WINDOWS\winnk.dll (file missing) O2 - BHO: Class - {85D798A6-2F83-A50C-5B26-F3BCDD880ABD} - C:\WINDOWS\crih.dll (file missing) O2 - BHO: Class - {A010DBE2-CC3D-9634-88DD-0AC37058D49B} - C:\WINDOWS\system32\netei32.dll (file missing) O2 - BHO: Class - {A4C18C6B-56A7-927D-630C-D7557B18963E} - C:\WINDOWS\system32\mstl.dll (file missing) O2 - BHO: Class - {AF02D6F5-E10D-4B29-B7AB-E057280C0CDC} - C:\WINDOWS\system32\d3gh.dll (file missing) O2 - BHO: Class - {B1226024-595B-F768-1697-EFEE2A97E5C8} - C:\WINDOWS\system32\sysmk.dll (file missing) O2 - BHO: Class - {B990B770-D62A-B542-EDA6-516033B76258} - C:\WINDOWS\javafz.dll (file missing) O2 - BHO: Class - {C012ED91-D21E-BC95-430B-8D4A44A3BDA5} - C:\WINDOWS\system32\ipyu.dll (file missing) O2 - BHO: Class - {C3AAEC67-F763-AFDD-7B89-B292B7DC615D} - C:\WINDOWS\system32\netaq32.dll (file missing) O2 - BHO: Class - {C4790940-96EC-3F25-4A2F-F6BF035B6FD5} - C:\WINDOWS\system32\sysep.dll (file missing) O2 - BHO: (no name) - {C8004A51-B1C6-2B52-CE97-BA80D6D6C5DB} - (no file) O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll (file missing) O2 - BHO: Class - {D883F4CC-A8EE-9040-1995-5458D21F8391} - C:\WINDOWS\system32\netnu32.dll (file missing) O2 - BHO: Class - {D9C0B1C1-84B5-7F4A-70E8-5A3C089B2899} - C:\WINDOWS\system32\sdkxr.dll (file missing) O2 - BHO: Class - {E3BB58FA-9E29-5453-8515-DD85FF9C16C7} - C:\WINDOWS\system32\ienw32.dll (file missing) O2 - BHO: Class - {F0D80D9E-EC18-2B52-399F-E70AEDFC8E18} - C:\WINDOWS\winef32.dll (file missing) O2 - BHO: Class - {F3264A95-EA02-5435-7C3B-CC1A6BECFC5B} - C:\WINDOWS\atlog.dll (file missing) O2 - BHO: Class - {F3DF3C5A-2566-083E-2CA1-07FE7B5682F8} - C:\WINDOWS\system32\sdkga32.dll (file missing) O2 - BHO: Class - {F7C42564-EA95-5F04-2382-4C97CB847F28} - C:\WINDOWS\sdkgz32.dll (file missing) O2 - BHO: Class - {FE13BDB7-4403-0563-A91B-7E8970E72CF7} - C:\WINDOWS\system32\ipsf32.dll (file missing) O4 - HKLM\..\Run: [mswc.exe] C:\WINDOWS\system32\mswc.exe O4 - HKLM\..\Run: [mslb32.exe] C:\WINDOWS\system32\mslb32.exe O4 - HKLM\..\Run: [d3zn32.exe] C:\WINDOWS\d3zn32.exe O4 - HKLM\..\Run: [winsj.exe] C:\WINDOWS\system32\winsj.exe O4 - HKLM\..\Run: [ierp32.exe] C:\WINDOWS\ierp32.exe O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe O23 - Service: Remote Procedure Call (RPC) Helper ( 11F咪#泛闹`I) - Unknown owner - C:\WINDOWS\atlwe32.exe" /s (file missing) 7. Run CWShredder and choose FIX 8. Start AboutBuster and press START, and then OK. The program will start scanning. Please keep the About Buster log and post it in your next reply. 9. Doubleclick HomeSearchfix.reg to merge the info to the registry. You will be prompted to accept the merge, answer YES. 10. REBOOT your Sytem into Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item press Enter. 11. Using Windows Explorer, please DELETE the following Files/Folders - and all their content- (if they are still present): C:\WINDOWS\atlwe32.exe C:\WINDOWS\ierp32.exe C:\WINDOWS\system32\dgugf.dll C:\WINDOWS\system32\mswc.exe C:\WINDOWS\system32\mslb32.exe C:\WINDOWS\d3zn32.exe C:\WINDOWS\system32\winsj.exe C:\WINDOWS\supervisor.exe 12. Start AboutBuster AGAIN and scan AGAIN. 13. Clean temporary files: Go > start > run and type cleanmgr and OK Scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked. Click OK to remove those files. Click Yes to confirm deletion. 14. Reboot your system into normal mode. 15.Download Ewido scan Check for updates. Let it do a full run. Copy the log. Past it to a blank Notepad file and save it to post here. 16. Finally, run HijackThis, click SCAN, produce a LOG and POST it, the EWIDOscan log, and the About Buster log in this thread for review. Regards, Trevuren

honkin View Member Profile	Nov 15 2005, 07:17 PM Post #5
New Member Posts: 7 OS: XP SP2	OK, some of the entries indicated were not there when I booted into safe mode. When I finally booted back to normal mode, AVG kept bringing up trojan messages. Here are the logs you requested. Cheers Logfile of HijackThis v1.99.1 Scan saved at 12:11:34 PM, on 16/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe e:\Program Files\ewido\security suite\ewidoctrl.exe e:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\alg.exe E:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\SOUNDMAN.EXE E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\Winamp\winampa.exe C:\NOSPY.ORG\start1.exe e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe e:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe C:\Program Files\Messenger\msmsgs.exe E:\Program Files\PeerGuardian2\pg2.exe E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe E:\Program Files\Nikon\NkView6\NkvMon.exe E:\Program Files\WinZip\WZQKPICK.EXE E:\Program Files\SpamBayes\bin\sb_tray.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131673724281 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 12:10:39 PM, 16/11/2005 + Report-Checksum: 50CBD1EE + Scan result: HKLM\SOFTWARE\Classes\CLSID\{1DE20533-9118-BF9A-A6C6-F8E881A5FD4B} -> Spyware.CoolWebSearch : Cleaned with backup F:\Documents and Settings\Shane O'Sullivan\Cookies\shane o'sullivan@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup F:\Documents and Settings\Shane O'Sullivan\Cookies\shane o'sullivan@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup F:\Documents and Settings\Shane O'Sullivan\Local Settings\Temporary Internet Files\Content.IE5\F9STVTOF\mm[2].js -> Spyware.Chitika : Cleaned with backup ::Report End AboutBuster 5.1, reference file 33 Scan started on [16/11/2005] at [10:40:11 AM] ------------------------------------------------ No Ads Found! ------------------------------------------------ Removed File! : C:\WINDOWS\bdtwi.dat Removed File! : C:\WINDOWS\vlkdx.dat Removed File! : C:\WINDOWS\wrbtx.dat Removed File! : C:\WINDOWS\zdavy.dat Removed File! : C:\WINDOWS\system32\jblvx.dat Removed File! : C:\WINDOWS\system32\lbnuf.dat Removed File! : C:\WINDOWS\system32\mhxkb.dat ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 10:42:14 AM AboutBuster 5.1, reference file 33 Scan started on [16/11/2005] at [10:53:02 AM] ------------------------------------------------ No Ads Found! ------------------------------------------------ No Files Found! ------------------------------------------------ Scan was COMPLETED SUCCESSFULLY at 10:55:04 AM

Trevuren View Member Profile	Nov 15 2005, 07:54 PM Post #6
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	We need to do a general overall cleanup of your system at this time 1.Download and Run a free trial version of an anti-trojan program called Trojan Hunter: HERE Let it scan your whole system and remove anything it finds. REBOOT your system. 2. Run Panda, a free online antivirus scan from HERE Let it remove anything it finds. REBOOT your system. 3. Download, install, update, configure, and run Ad-Aware SE Personal 1.06. Download Ad-Aware SE Personal 1.06: Download Ad-Aware SE Personal 1.05. Save aawsepersonal.exe to a convenient location. Install Ad-Aware SE Personal 1.06: Double-click on aawsepersonal.exe to install the program. Follow the default settings for installation. After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes. Update Ad-Aware SE Personal 1.06: Double-click the Ad-Aware SE Personal icon on your desktop. Click "Check for updates now" then click "Connect". It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish". Configure Ad-Aware SE Personal 1.06: Click on the Gear button at the top of the window. Click "General" on the left hand side to display the General Settings box. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Automatically save logfile" "Automatically quarantine objects prior to removal" "Safe Mode (always request confirmation)" "Prompt to update outdated definitions" - change to 7 days from the default 14. Click "Scanning" on the left hand side to display the Scan Settings box. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Scan within archives" "Select drives & folders to scan" - select your hard drive(s). "Scan active processes" "Scan registry" "Deep-scan registry" "Scan my IE favorites for banned URLs" "Scan my Hosts file" Click "Advanced" on the left hand side to display the Advanced Settings box. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Move deleted files to Recycle Bin" "Include additional object information" "Include negligible objects information" "Include environment information" Click "Defaults" on the left hand side to display the Default Settings box. Make sure these items have your preferred settings in them.: "Default homepage" "Default searchpage" Click "Tweak" on the left hand side to display the Tweak Settings box. Click the + (plus) sign next to the Log Files section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Include basic Ad-Aware settings in log file" "Include additional Ad-Aware settings in log file" "Include reference summary in log file" "Include alternate data stream details in log file" Click the + (plus) sign next to the Scanning Engine section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Unload recognized processes & modules during scan" "Scan registry for all users instead of current user only" "Obtain command line of scanned processes" Click the + (plus) sign next to the Cleaning Engine section. This will expand the section. Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.: "Always try to unload modules before deletion" "During removal, unload Explorer and IE if necessary" "Let Windows remove files in use at next reboot" "Delete quarantined objects after restoring" Once you are done with these settings, click "Proceed" to save them. This will take you back to the main screen. Run Ad-Aware SE Personal 1.06: Click the "Start" button. Uncheck the "Search for negligible risk entries" entry. Choose the "Use custom scanning options" scan mode. Click the "Next" button. Ad-Aware will begin to scan for malware residing on your computer. Allow the scan to finish. Right-click on any entry in the list and click "Select All" to select the whole list. Click "Next" and choose "OK" at the prompt to quarantine and remove the objects. REBOOT your system. 4. Download the .exe format of Cleanup by Steven Gould from :HERE A window will open and choose SAVE, then DESKTOP as the destination. On your Desktop, click on Cleanup40.exe icon. Then, click RUN and place a checkmark beside "I Agree" Then click NEXT followed by START and OK. A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality. Click OK Finally click "CleanUp" The program with probably ask you to reboot. If it doesn't, then REBOOT your system yourself. 5. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review. Regards, Trevuren

honkin View Member Profile	Nov 16 2005, 05:22 PM Post #7
New Member Posts: 7 OS: XP SP2	Hey Trevuren The link to Cleanup40.exe is dead, but I already had a copy of it on my system. Ran it in standard mode and let it do its thing. Also, Panda did a log which had heaps of Adware. I have moved them all from both Windows and Windows\System32 to another location. Will delete them if you say they are OK to be deleted. Have included the Panda log as well. Hijack This still shows 3 entries of that dgugf.dll. Logfile of HijackThis v1.99.1 Scan saved at 10:12:19 AM, on 17/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe e:\Program Files\ewido\security suite\ewidoctrl.exe e:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\alg.exe E:\Program Files\ScanSoft\OmniPageSE\opware32.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\SOUNDMAN.EXE E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\Winamp\winampa.exe C:\NOSPY.ORG\start1.exe e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe E:\Program Files\PeerGuardian2\pg2.exe E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe E:\Program Files\Nikon\NkView6\NkvMon.exe E:\Program Files\WinZip\WZQKPICK.EXE E:\Program Files\SpamBayes\bin\sb_tray.exe C:\Program Files\Hijackthis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [Omnipage] E:\Program Files\ScanSoft\OmniPageSE\opware32.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131673724281 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Incident Status Location Adware:Adware/SearchAid No disinfected C:\WINDOWS\addde32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\addjr32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\addpb.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\addqm32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\addxg32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\apifh32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\apigu.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\apilv.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\apiov32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\apisg32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\apisn.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\apitr.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\appkj32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\appwe.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\appyo.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\appyt32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlnp.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\atlre.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\crcq.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\crpv.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\crtq32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\crul.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3mk.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3ui32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3vv32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\ieew.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\iezf.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipdx.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipnc.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipoo.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\ippa.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\javaba32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\javacc.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcaa.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcbx32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcck32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcvz32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\netnt32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\netyh32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\netyo.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\ntee32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\nttl32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkjl32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkkx32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdksg.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkwh32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdkwj.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\sysav.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\sysmm32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addbh32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addfs.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addhq32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addmb.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\addol32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apiez32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apiis32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apiqd.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apivx.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apphf.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\applb.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appoh.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\apprc32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appud.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\appwp.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atlhf.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atllu.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\atltq32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crkj.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crnl32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crqk32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crre.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crrw32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crvp32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3ax32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3fq.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\d3jj32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\iedt32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\iegi32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ietz32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipcz32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipdf32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ipqs.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javaml.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javamu32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\javayr.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfccr32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfces.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcet32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcof.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mfcxj32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\msmi32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\mstr32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netto.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netwm.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\netwz.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\ntvv32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkct32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sdkqx.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysdb.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\syseb.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\syshe.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysmw.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\systw32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysvg32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysvi32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysvy.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\sysyn.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\winar.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\winzr32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\systx.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\ujzmh.log Adware:Adware/SearchAid No disinfected C:\WINDOWS\wincs.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\wingn.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\winjx.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\winkj.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\winld32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\winmh.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\winvf32.exe Adware:Adware/SearchAid No disinfected C:\WINDOWS\winxi32.exe

Trevuren View Member Profile	Nov 16 2005, 08:04 PM Post #8
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	Please delete all those files. If there anre any that won't let themselves be deleted in regular mode, delete them at the same time you are deleting the prescribed files in Safe Mode later on in the fix. Please print out these directions for in safe mode you will have to be disconnected from the internet. You should entirely disconnect (UNPLUG) from the internet!!! We need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) choose to "show hidden files and folders," uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok All hidden files will now be visible Reboot your system into safe mode for all OS Close all windows and open HijackThis. Click "scan only� in the main window Put a checkmark beside the following entries and click �FIX checked�. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\dgugf.dll/sp.html#17702 R3 - Default URLSearchHook is missing O2 - BHO: Class - {CAE597FF-4125-1680-10FC-D57418898CD3} - C:\WINDOWS\javags32.dll Run CWShredder and choose FIX Start AboutBuster and press START, and then OK. The program will start scanning. Please keep the About Buster log and post it in your next reply. Doubleclick HomeSearchfix.reg to merge the info to the registry. You will be prompted to accept the merge, answer YES. Using Windows Explorer, locate and DELETE the following files: C:\WINDOWS\system32\dgugf.dll C:\WINDOWS\javags32.dll Reboot your system After the reboot, Start AboutBuster AGAIN and scan AGAIN. Clean temporary files: Go > start > run and type cleanmgr and OK Scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked. Click OK to remove those files. Click Yes to confirm deletion. Download Ewido scan Check for updates. Let it do a full run. Copy the log. Past it to a blank Notepad file and save it to post here. Finally, run HijackThis, click SCAN, produce a LOG and POST it, the EWIDOscan log, and the About Buster log in this thread for review. Regards, Trevuren

honkin View Member Profile	Nov 16 2005, 11:33 PM Post #9
New Member Posts: 7 OS: XP SP2	OK, booted to safe mode and none of the 4 entries appear in the new Hijack This log. Did a search and found javags32.dll, but no sign of dgugf.dll. Found 1 reference to it in the registry and deleted it. CWShredder has consistantly found nothing and frankly I am not impressed with it, as others have continually found the CWS entries. About Blaster is clear, HSFix.reg is done. Ewido found 3 things in the Norton recycle bin and 1 in the Documents and Settings folder - all cleaned. Rebooted, About Buster still clear, the 4 entries in Hijack This were still there, so I removed them manually and rebooted. Ran Hijack This and they are gone. Ran cleanmgr and also emptied Norton Protected Recycle Bin. Here are the Hijack This log and Ewido log. Thanks for your help. Logfile of HijackThis v1.99.1 Scan saved at 2:11:02 PM, on 17/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe e:\Program Files\ewido\security suite\ewidoctrl.exe e:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\SOUNDMAN.EXE E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe E:\Program Files\Winamp\winampa.exe C:\NOSPY.ORG\start1.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe E:\Program Files\PeerGuardian2\pg2.exe E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe E:\Program Files\Nikon\NkView6\NkvMon.exe E:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe E:\Program Files\SpamBayes\bin\sb_tray.exe E:\Program Files\SpywareGuard\sgmain.exe E:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\iexplore.exe e:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Hijackthis\HijackThis.exe C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [supervisor.exe] C:\WINDOWS\supervisor.exe O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - User Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131673724281 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 4:00:25 PM, 17/11/2005 + Report-Checksum: 6DEC7429 + Scan result: C:\RECYCLER\NPROTECT\00002017.dll -> Adware.SearchPage : Cleaned with backup C:\RECYCLER\NPROTECT\00002018.dll -> Adware.SearchPage : Cleaned with backup C:\RECYCLER\NPROTECT\00002019.dll -> Adware.SearchPage : Cleaned with backup F:\Documents and Settings\Shane O'Sullivan\Local Settings\Temporary Internet Files\Content.IE5\K9ARS5UR\mm[2].js -> Spyware.Chitika : Cleaned with backup ::Report End

Trevuren View Member Profile	Nov 17 2005, 12:23 AM Post #10
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	Well Done Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. First we need to make all files and folders VISIBLE: Go to start>control panel>folder options>view (tab) Choose to "show hidden files and folders," Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes. Close the window with ok Please RUN HijackThis. . Click the SCAN button to produce a log. Place a check mark beside each one of the following items: R3 - Default URLSearchHook is missing O4 - HKLM\..\Run: [WinampAgent] e:\Program Files\Winamp\winampa.exe Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window. Reboot Your System in Safe Mode How to use the F8 method to Start Your Computer in Safe Mode Restart the computer. As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears. Use the arrow keys to select the Safe mode menu item Press Enter. Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present): e:\Program Files\Winamp\winampa.exe<==Only this file Exit Explorer, and REBOOT BACK INTO NORMAL MODE Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum for a final check. I expect your log to be clear. Please advise me of any outstanding malware-related problems that you may have. If all is clear, we will proceed with the final cleanup procedures. Regards, Trevuren This post has been edited by Trevuren: Nov 17 2005, 12:27 AM

honkin View Member Profile	Nov 17 2005, 03:50 PM Post #11
New Member Posts: 7 OS: XP SP2	Thanx heaps, dude. These things aren't dangerous, but boy do they piss you off. I have followed advice found on this site to tighten my security regarding future attacks. All I did was browse to a website, for god's sake. An area that should be sacrosanct. Oh, I know they're creative and clever little buggers who write these malicious codes, but I think if you ever met someone who told you they wrote virii and malware etc, you'd take a rather large stick to their head. Here is the HJT log and thankx again for your help. Logfile of HijackThis v1.99.1 Scan saved at 8:47:24 AM, on 18/11/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe e:\Program Files\ewido\security suite\ewidoctrl.exe e:\Program Files\ewido\security suite\ewidoguard.exe C:\WINDOWS\System32\GEARSec.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\SOUNDMAN.EXE E:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe E:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\NOSPY.ORG\start1.exe e:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe E:\Program Files\PeerGuardian2\pg2.exe E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe C:\Program Files\Wireless Device\Wireless Keyboard\osd.exe E:\Program Files\Nikon\NkView6\NkvMon.exe E:\Program Files\WinZip\WZQKPICK.EXE E:\Program Files\SpamBayes\bin\sb_tray.exe E:\Program Files\SpywareGuard\sgmain.exe E:\Program Files\SpywareGuard\sgbhp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe C:\Program Files\Hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.google.com.au R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com.au O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - e:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - e:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [Norton Ghost 9.0] E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [MimBoot] e:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [MMTray] "e:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [AnyDVD] "e:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [STARTPAGE] C:\NOSPY.ORG\start1.exe O4 - HKLM\..\Run: [ScriptSentry] e:\Script Sentry\ScriptSentry.exe /check O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [PeerGuardian] e:\Program Files\PeerGuardian2\pg2.exe O4 - Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe O4 - User Startup: SpamBayes Tray Icon.lnk = E:\Program Files\SpamBayes\bin\sb_tray.exe O4 - User Startup: SpywareGuard.lnk = E:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Enable Wireless Keyboard Driver.lnk = C:\Program Files\Wireless Device\Wireless Keyboard\Magickey.exe O4 - Global Startup: Enable Wireless Optical Mouse Driver.lnk = C:\Program Files\Wireless Device\Wireless Mouse\MouseAp.exe O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: Download &this page with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addthis.htm O8 - Extra context menu item: Download all &images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addimg.htm O8 - Extra context menu item: Download all &links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addurl.htm O8 - Extra context menu item: Download selected images with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addselimgs.htm O8 - Extra context menu item: Download selected links with WebCloner - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\addsellinks.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra 'Tools' menuitem: &WebCloner - {ADFCCE65-DF10-46fd-B04A-53CCBE2A0795} - E:\Program Files\ProductsFoundry\WebCloner Pro 2.4\WebCloner.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131673724281 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005102...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - e:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - e:\Program Files\ewido\security suite\ewidoguard.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Trevuren View Member Profile	Nov 17 2005, 04:00 PM Post #12
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	Congratulations, your log shows that your SYSTEM IS CLEAN *There are a few things you must do once you are completely clean:* 1. Re-hide your System Files and Folders to prevent any future accidents. Reconfigure Windows XP to hide hidden files: Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading deselect "Show hidden files and folders". Check the "Hide protected operating system files (recommended)" option. Click Yes to confirm. Click OK. 2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files: TO DISABLE SYSTEM RESTORE Right-click "My Computer", and then left click "Properties". Left click on "System Restore Tab" Check box beside "Turn Off System Restore" Left click on "Apply" TO ENABLE SYSTEM RESTORE Remove check mark from "Turn Off System Restore" Click on "Apply" 3.Preventitive measures: Please read and follow the following advice by TonyKlein on how to reduce the potential for spyware infection in the future: How Did I Get Infected in the First Place Regards, Trevuren

Trevuren View Member Profile	Nov 20 2005, 07:35 PM Post #13
Member 5k Posts: 18,694 From: Ottawa OS: Windows 7 Ultimate 32-bit/ Windows 7 Home Premium 64-bit	Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal trojan horse downloader agent.6.u [RESOLVED] 12	17 / 2,417	6th October 2005 - 04:14 PM rodneyj222 started - last by Buckeye_Sam
Virus, Spyware and Trojan Removal JavaByteVerify & Trojan Horse Downloader [RESOLVED]	6 / 247	1st August 2006 - 05:28 PM kenotrux started - last by greyknight17
Virus, Spyware and Trojan Removal Trojan horse downloader agent SQK [RESOLVED]	6 / 856	19th September 2007 - 10:28 AM duckpkl started - last by Rorschach112
Virus, Spyware and Trojan Removal Trojan horse Downloader.Agent.WBH	11 / 2,642	9th March 2008 - 11:23 AM cemptor started - last by kahdah