hi everyone..i've used this site before with a friend's a computer and you guys were soo helpful! i'm hoping you can help me now with my computer's many infections...here are my logfiles from both ewido and hijack this...

thanks so much!!!



ewido anti-malware - Process report
---------------------------------------------------------

+ Created on: 10:44:41 PM, 5/23/2006
+ Report-Checksum: AB9D05A0

0: System Process
4: System Process
232: C:\Program Files\Internet Explorer\iexplore.exe
472: \SystemRoot\System32\smss.exe
520: \??\C:\WINDOWS\REPLACE\system32\csrss.exe
544: \??\C:\WINDOWS\REPLACE\system32\winlogon.exe
588: C:\WINDOWS\REPLACE\system32\services.exe
600: C:\WINDOWS\REPLACE\system32\lsass.exe
768: C:\WINDOWS\REPLACE\System32\Ati2evxx.exe
796: C:\WINDOWS\REPLACE\system32\svchost.exe
820: C:\WINDOWS\REPLACE\System32\svchost.exe
880: C:\WINDOWS\REPLACE\System32\ACS.exe
1000: C:\WINDOWS\REPLACE\System32\svchost.exe
1024: C:\WINDOWS\REPLACE\System32\svchost.exe
1288: C:\WINDOWS\REPLACE\system32\LEXBCES.EXE
1336: C:\WINDOWS\REPLACE\system32\spoolsv.exe
1536: C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
1592: C:\WINDOWS\REPLACE\System32\DVDRAMSV.exe
1692: c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
2052: C:\Program Files\ewido anti-malware\ewidoguard.exe
2116: C:\Program Files\ewido anti-malware\ewidoctrl.exe
2140: C:\WINDOWS\REPLACE\System32\wuauclt.exe
2724: C:\WINDOWS\REPLACE\system32\Ati2evxx.exe
2824: C:\WINDOWS\REPLACE\System32\svchost.exe
2864: C:\WINDOWS\REPLACE\explorer.exe
2992: C:\Program Files\ewido anti-malware\securitysuite.exe
3296: C:\WINDOWS\REPLACE\System32\ctfmon.exe
3952: C:\WINDOWS\REPLACE\System32\nvctrl.exe
3972: C:\WINDOWS\REPLACE\System32\mssearchnet.exe




Logfile of HijackThis v1.99.1
Scan saved at 10:47:24 PM, on 5/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\REPLACE\System32\smss.exe
C:\WINDOWS\REPLACE\system32\csrss.exe
C:\WINDOWS\REPLACE\system32\winlogon.exe
C:\WINDOWS\REPLACE\system32\services.exe
C:\WINDOWS\REPLACE\system32\lsass.exe
C:\WINDOWS\REPLACE\System32\Ati2evxx.exe
C:\WINDOWS\REPLACE\system32\svchost.exe
C:\WINDOWS\REPLACE\System32\svchost.exe
C:\WINDOWS\REPLACE\System32\ACS.exe
C:\WINDOWS\REPLACE\System32\svchost.exe
C:\WINDOWS\REPLACE\System32\svchost.exe
C:\WINDOWS\REPLACE\system32\LEXBCES.EXE
C:\WINDOWS\REPLACE\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\REPLACE\System32\DVDRAMSV.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\REPLACE\System32\svchost.exe
C:\WINDOWS\REPLACE\system32\Ati2evxx.exe
C:\WINDOWS\REPLACE\explorer.exe
C:\WINDOWS\REPLACE\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\REPLACE\System32\wuauclt.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\REPLACE\System32\nvctrl.exe
C:\WINDOWS\REPLACE\System32\mssearchnet.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Alisha\Local Settings\Temporary Internet Files\Content.IE5\G16VO1AJ\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://toshibadirect.com/
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\REPLACE\System32\hp38DE.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\REPLACE\System32\msdxm.ocx
O4 - HKLM\..\Run: [LexPPS.exe] C:\WINDOWS\REPLACE\System32\lexpps.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\REPLACE\System32\ctfmon.exe
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\REPLACE\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\REPLACE\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\REPLACE\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\REPLACE\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

Hello Alisha and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have a Puper infection. Let’s see what we can.

I note that you are running HijackThis from Temporary Folder; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Click My Computer, then C:\ and then Program Files.
In the menu bar, go to File>New>Folder. That will create a folder named New Folder, which you can right-click on and rename to HJT or HijackThis. Now you have C:\Program Files\HijackThis. Cut ‘n’ Paste your HijackThis.exe into it.

Firstly could you please disable Ewido Guard from running as it will hinder our attempts to change anything. Open Ewido>Status and remove the Guard option. You may be required to reboot for the change to take effect.

Have you any idea as to why your system (Windows) files are in a folder named REPLACE?

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy & paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programmes (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a programme used to stop system processes. Antivirus programmes cannot distinguish between "good" and "malicious" use of such programmes, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Thankyou so much for your help..I have done all of the above steps and performed the smitfraudfix..Here is my logfile:

SmitFraudFix v2.47

Scan done at 4:14:03.87, Fri 05/26/2006
Run from C:\Documents and Settings\Alisha\Local Settings\Temporary Internet Files\Content.IE5\A16L7Z9X\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\REPLACE


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\REPLACE\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\REPLACE\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\REPLACE\system32

C:\WINDOWS\REPLACE\system32\hp????.tmp FOUND !
C:\WINDOWS\REPLACE\system32\interf.tlb FOUND !
C:\WINDOWS\REPLACE\system32\ot.ico FOUND !
C:\WINDOWS\REPLACE\system32\stickrep.dll FOUND !
C:\WINDOWS\REPLACE\system32\ts.ico FOUND !
C:\WINDOWS\REPLACE\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alisha\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Alisha\FAVORI~1

C:\DOCUME~1\Alisha\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"="SivuWare"

[HKEY_CLASSES_ROOT\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32]
@="C:\WINDOWS\REPLACE\System32\sivudro.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32]
@="C:\WINDOWS\REPLACE\System32\sivudro.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

I have done nothing beyond this point...waiting for your advice - thanx again!!

oh and PS: I am the only administator of this computer..that is, it is not a "family pc", simply my own. Also, I have no clue as to why my system files are in a folder named REPLACE...

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

A. Please download the trial version of Ewido anti-malware from here: http://www.ewido.net/en/download/

• Install Ewido anti-malware.
• When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
• When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
• The programme will prompt you to update. Click the Ok button.
• The programme will now go to the main screen.

You will need to update Ewido to the latest definition files.

• On the left-hand side of the main screen click the Update Button.
• Click on Start.
• The update will start and a progress bar will show the updates being installed.

Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates. Make sure to close Ewido before installing the update.

B. Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

______________________________

C. Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

D. Clean out your Temporary Internet files. Proceed like this:

• Quit Internet Explorer and quit any instances of Windows Explorer.
• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

E. Close ALL open Windows / Programmes / Folders. Please start Ewido, and run a full scan.

• Click on Scanner
• Click on Settings
  • Under How to scan all boxes should be checked
  • Under Unwanted Software all boxes should be checked
  • Under What to scan select Scan every file
  • Click on Ok
• Click on Complete System Scan to start the scan process.
• Let the programme scan the machine.

If Ewido finds anything, it will pop up a notification. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says Perform action on all infections and put a checkmark in the box next to Create encrypted backup, then choose clean and click Ok.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.

• Click Save Report button
• Save the report to your Desktop

Close Ewido and Reboot in Normal Mode.
______________________________

F. Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

G. Please post:

1. c:\rapport.txt
2. Ewido log
3. A new HijackThis log (from normal mode).

You may need more than one reply to post the requested logs, otherwise they might get cut off.

Have you ever had a system repair done on this PC?

Here is my newest smitfraudfix log:

SmitFraudFix v2.47

Scan done at 21:02:55.31, Thu 05/25/2006
Run from C:\Documents and Settings\Alisha\Local Settings\Temporary Internet Files\Content.IE5\A16L7Z9X\SmitfraudFix[1]\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}"="SivuWare"

[HKEY_CLASSES_ROOT\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32]
@="C:\WINDOWS\REPLACE\System32\sivudro.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{EA26CE12-DE64-A1C5-9A4F-FC1A64E6AC2E}\InProcServer32]
@="C:\WINDOWS\REPLACE\System32\sivudro.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\REPLACE\system32\hp????.tmp Deleted
C:\WINDOWS\REPLACE\system32\interf.tlb Deleted
C:\WINDOWS\REPLACE\system32\ot.ico Deleted
C:\WINDOWS\REPLACE\system32\stickrep.dll Deleted
C:\WINDOWS\REPLACE\system32\ts.ico Deleted
C:\WINDOWS\REPLACE\system32\1024\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\REPLACE\System32\sivudro.dll -> Missing File


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


Ewido log:
+ Created on: 12:26:46 AM, 5/26/2006
+ Report-Checksum: 5CB5DD10

+ Scan result:

:mozilla.11:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Alisha Casalnova\Application Data\Netscape\NSB\Profiles\guricxb5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned with backup
C:\Program Files\Common Files\CMEII\CMEIIAPI.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GAppMgr.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GController.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GDwldEng.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GIocl.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GIoclClient.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GMTProxy.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GObjs.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GStore.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\GStoreServer.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\CMEII\Gtools.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\tppnntpt\rrbrtatr\ldpjpapl.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\tppnntpt\tjerrrdned\dbphpbrph.exe -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Buddy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\70tovmto.ini -> Adware.Sahat : Cleaned with backup
C:\WINDOWS\system32\SWRT01.dll -> Adware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\vmss\vmss.exe -> Adware.DelphinMediaViewer : Cleaned with backup
C:\WINDOWS\system32\wsxsvc\wsx.dll -> Adware.DelphinMediaViewer : Cleaned with backup
C:\WINDOWS\system32\wsxsvc\wsx.ocx -> Adware.DelphinMediaViewer : Cleaned with backup
C:\WINDOWS\system32\wsxsvc\wsxsvc.exe -> Adware.DelphinMediaViewer : Cleaned with backup


::Report End

new hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 12:37:17 AM, on 5/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\REPLACE\System32\smss.exe
C:\WINDOWS\REPLACE\system32\winlogon.exe
C:\WINDOWS\REPLACE\system32\services.exe
C:\WINDOWS\REPLACE\system32\lsass.exe
C:\WINDOWS\REPLACE\System32\Ati2evxx.exe
C:\WINDOWS\REPLACE\system32\svchost.exe
C:\WINDOWS\REPLACE\System32\svchost.exe
C:\WINDOWS\REPLACE\System32\ACS.exe
C:\WINDOWS\REPLACE\system32\LEXBCES.EXE
C:\WINDOWS\REPLACE\system32\spoolsv.exe
C:\WINDOWS\REPLACE\system32\LEXPPS.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\REPLACE\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\REPLACE\system32\Ati2evxx.exe
C:\WINDOWS\REPLACE\Explorer.EXE
C:\WINDOWS\REPLACE\System32\ctfmon.exe
C:\WINDOWS\REPLACE\System32\wuauclt.exe
C:\WINDOWS\REPLACE\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Alisha\Local Settings\Temporary Internet Files\Content.IE5\A16L7Z9X\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\REPLACE\System32\msdxm.ocx
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\REPLACE\System32\ctfmon.exe
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\REPLACE\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\REPLACE\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\REPLACE\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\REPLACE\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe



...It seems to be running better already Yes, I did have to do a system repair back in February because my computer just shut itself off constantly and one day a screen popped up telling me to install the original disks for a system repair..things have gotten worse since then. What is my next move here??

Hello again Alisha

The logs look good but I can see a minor adjustment is still necessary.

I note that you are running HijackThis from a Temporary Folder; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Click My Computer, then C:\ and then Program Files.
In the menu bar, go to File>New>Folder. That will create a folder named New Folder, which you can right-click on and rename to HJT or HijackThis. Now you have C:\Program Files\HijackThis. Cut ‘n’ Paste your HijackThis.exe into it.

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please set your system to show all files;
please see here if you're unsure how to do this.

Using Windows Explorer, locate this file and delete it:

C:\windows\system32\blank.htm

Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log, from normal mode, and I will take another look.

I don't think there is any harm in having your system files in a different folder, but you might still have all the old, possibly corrupted files still on your PC doing nothing. You might wish to visit our Win XP forum when I have given you the all clear.

Hello...I performed the above actions, but could not locate the file
C:\windows\system32\blank.htm I performed a full system search and even went through the windows program file and system 32 folder to no avail. I hope this is okay...I then performed a new HiJack This scan:


Logfile of HijackThis v1.99.1
Scan saved at 8:54:42 AM, on 5/26/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\REPLACE\System32\smss.exe
C:\WINDOWS\REPLACE\system32\winlogon.exe
C:\WINDOWS\REPLACE\system32\services.exe
C:\WINDOWS\REPLACE\system32\lsass.exe
C:\WINDOWS\REPLACE\System32\Ati2evxx.exe
C:\WINDOWS\REPLACE\system32\svchost.exe
C:\WINDOWS\REPLACE\System32\svchost.exe
C:\WINDOWS\REPLACE\System32\ACS.exe
C:\WINDOWS\REPLACE\system32\LEXBCES.EXE
C:\WINDOWS\REPLACE\system32\spoolsv.exe
C:\WINDOWS\REPLACE\system32\LEXPPS.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\REPLACE\System32\DVDRAMSV.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\REPLACE\system32\Ati2evxx.exe
C:\WINDOWS\REPLACE\Explorer.EXE
C:\WINDOWS\REPLACE\System32\ctfmon.exe
C:\WINDOWS\REPLACE\System32\svchost.exe
C:\Program Files\HiJackThis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\REPLACE\System32\msdxm.ocx
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\REPLACE\System32\ctfmon.exe
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - http://a532.g.akamai.net/f/532/6712/5m/vir...0/installer.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\REPLACE\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\REPLACE\System32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\REPLACE\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\REPLACE\system32\LEXBCES.EXE
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe

Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

MOST IMPORTANT: You should update Windows and Internet Explorer to get all the latest Security Patches to protect your computer from the malware that is around on the internet.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
WINDOWS DEFENDER - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programme for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated.

It just remains for me to wish you happy safe surfing.

THANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOU THANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOUTHANKYOU!!!!!!!!!!...Can't say it enough!! My computer is running beautifully - thanks for all of the easy-to-follow help and advice You're amazing!

You are very welcome.

I will leave this thread open for a few days in case of misfortune.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.