[Wearnie]

Good evening
I was hoping someone may be able to assist me
I am new here and ive had issues with many spywares and viruses of late
Ive gone through the process of "you must read this b4 posting a HIjack this"
I have run both Ad aware and Spybot and that has eradicted some spyware as well as ewido securities.
l cant load a IE homepage because it always defaults to this page
"res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677"
I was able to erase the "startsearches.net" as a start up page(l think thats what it was called) ?? but id just like to know if ive still got major issues..?
Any assistance would be greatly apprecited i am rather new to computer problem solving but not at problem creating l seem to do that easy...
Regards




Logfile of HijackThis v1.99.1
Scan saved at 12:56:31 AM, on 26/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Installs\security suite\ewidoctrl.exe
C:\Program Files\Installs\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Installs\security suite\SecuritySuite.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Installs\Hijack this Reports\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R3 - Default URLSearchHook is missing
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp4824.tmp (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {09EC1913-2039-504D-47D9-35C024D1D4E2} - http://216.118.71.185/1/gdnAU1865.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\qsfota.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {4A0329C0-1259-164D-9CB7-50F23AA3ACCF} - http://216.118.71.185/1/gdnAU1865.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105191519187
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Installs\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Installs\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Advertisements]

Welcome to GTG.

Go to this site and upload this file -> C:\WINDOWS\system32\shdocpe.dll to the site. Click on Submit. Wait for the results. What does it say? If it's bad, I want you to delete it (see bottom):

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Right click on this link -> http://www.bleepingc...g/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\ole32vbs.exe
C:\WINDOWS\System32\hp4824.tmp
C:\WINDOWS\system32\ntnut.exe
C:\Program Files\Internet Explorer\qsfota.exe
C:\WINDOWS\system32\shdocpe.dll - ONLY include this one if that scan that you did earlier said that it's bad

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders if they exist:

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
C:\Windows\System32\Log Files\
C:\Program Files\Security iGuard\

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R3 - Default URLSearchHook is missing
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp4824.tmp (file missing)
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O16 - DPF: {09EC1913-2039-504D-47D9-35C024D1D4E2} - http://216.118.71.185/1/gdnAU1865.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\qsfota.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {4A0329C0-1259-164D-9CB7-50F23AA3ACCF} - http://216.118.71.185/1/gdnAU1865.exe

Close HijackThis.

Restart your computer.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

1. Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program.

2. Right click on this link -> http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also.

3. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

4. Run an online scan at http://www.pandasoft...com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.

[greyknight17]

Welcome to GTG.

Go to this site and upload this file -> C:\WINDOWS\system32\shdocpe.dll to the site. Click on Submit. Wait for the results. What does it say? If it's bad, I want you to delete it (see bottom):

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Right click on this link -> http://www.bleepingc...g/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

Right click on this link and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

Go to Start->-Control Panel->Add or Remove Programs and remove/uninstall the following programs, if found:

Security iGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with red circle with a white X. Confirm to delete and when asked if you want to reboot now, say no:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\ole32vbs.exe
C:\WINDOWS\System32\hp4824.tmp
C:\WINDOWS\system32\ntnut.exe
C:\Program Files\Internet Explorer\qsfota.exe
C:\WINDOWS\system32\shdocpe.dll - ONLY include this one if that scan that you did earlier said that it's bad

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Delete these folders if they exist:

C:\Program Files\Search Maid\
C:\Program Files\Virtual Maid\
C:\Windows\System32\Log Files\
C:\Program Files\Security iGuard\

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.startsearches.net/bar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
R3 - Default URLSearchHook is missing
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp4824.tmp (file missing)
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O16 - DPF: {09EC1913-2039-504D-47D9-35C024D1D4E2} - http://216.118.71.185/1/gdnAU1865.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\qsfota.exe
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {4A0329C0-1259-164D-9CB7-50F23AA3ACCF} - http://216.118.71.185/1/gdnAU1865.exe

Close HijackThis.

Restart your computer.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

1. Download Hoster http://www.greyknigh.../spy/Hoster.exe and run it. Choose the 'Restore Original Hosts' button and press OK. Close the program.

2. Right click on this link -> http://mvps.org/winh.../DelDomains.inf and select Save As to download WinHelp2002's DelDomains.inf. Save the file to the Desktop. To run the inf file, right click on it and select Install. Note: This will remove all entries in the 'Trusted Zone' and 'Ranges' also.

3. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

4. Run an online scan at http://www.pandasoft...com/activescan/ and save the results from the scan!

Restart and post a new HijackThis log along with the results from ActiveScan.

[Wearnie]

Grey Knight, Firstly thank you for your assitance
I proceded to the site as first suggested and it varified i had a few trojans
Secondly i merged the smihfraud reg into the registry....but when l right clicked on the desktop and went to properties there was no desktop tab facility l must be in the wrong area..>??
I literally just right clicked on my desktop?
it had a header with
General
The page icon below (general) said not available

protocol - file protocol
Type - html document
Conection - not encrypted
Address (url) - file://C:\WINDOWS\desktop.html
size - not available
created - not available
Modified - not available

it has a certificates button
OK and Cancel buttons

Below is the part of your directions you supplied, and where i got lost....i could not find anywhere a desktoptab? customise desktop button etc..?
Apologies for the inconvenience
Am l in the wrong area?

Right click on this link -> http://www.bleepingc...g/smitfraud.reg and save that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.

[Wearnie]

GreyKnight17
I may not be able to see the desktop tab because in fact l cant get to the desktop...i changed the screen resolution and could see part of my wallpaper.
So the screen im clicking on isn my desktop....its a blank white screen that flickers quite a bit.......
I proceded with the process and the computer is running better....i have
a panda scan result here and a hijack this update at the bottom..i apreciate i may well have wasted my time by avoiding a step but i thought id try the process regardless....just to step through it....
I hope i havent wasted your time in the process.
Regards
Dvaid



Incident Status Location

Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/Virmaid No disinfected Windows Registry
Virus:Exploit/iFrame Disinfected Personal Folders\Deleted Items\Mail Delivery (failure [email protected])\MSG_RTF.TXT
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Mail Delivery (failure [email protected])\message.scr
Virus:W32/Netsky.P.worm Disinfected Personal Folders\Deleted Items\Re: Failure\document_wearnie.zip[document.txt .exe]
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addya.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addye32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addzc32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addzo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apibe32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apict32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apidn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apids.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apidz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apieg32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiff32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apifi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apigv32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apihj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apihz32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apijg32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apikh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apikk32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apikt32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apilf.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiln.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apimh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apioj.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apipa.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apipy32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apirn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apisz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apitj.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apitm.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apivf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apivj.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apixk.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiyh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appau.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appdz.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appea.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appes.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appfe32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appfw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appgo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appgx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apphm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appid32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appih32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appin.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appiy32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appje32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appmu.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apppo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apppu.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appqa32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appqm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apprb32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appsr32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appui32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appuq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appuw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appwq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appyb32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appyu32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appyx.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appzd.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlaf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlbh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlbi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlch.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlci32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atldh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlhn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlil.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlkq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlky32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlls32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atllz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlmo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlmx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlnx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlpf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlpn32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlqa.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlqn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlrd32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlrp.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlry32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlsj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlst.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlta.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atltx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlxc.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlyp32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlzr.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlzt.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlzx.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\cgqzc.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crbc.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crby32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crct32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crdo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crdy.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\cred.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crfu32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crgc32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crge32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crhd.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crhu32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crit.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crjv32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crmx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crne.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crpc.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crpi32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crpq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crps32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crrq32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\cruc32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crun32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\cruw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\cruz32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crvd.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crvo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crwp.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crwq.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crya.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crye32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\cryu.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crza.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crzf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crzw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crzz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3am32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3az32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3bm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3dl.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3gq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3jb32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3kb.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ke32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ml.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3mn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3mu32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3nw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ok32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3pi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3rq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ve32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3xc.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3xd.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3xm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3xz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ym.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3zi.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\dmtib.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\ehjyy.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieab32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieac32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieaj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieas32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieci32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iecy.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iedz32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieec32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieed32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieee.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieee32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ieex.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iefg32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iefi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieft32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iegh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iegs.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieoo.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iepm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iepp32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ierj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iesa32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ietd32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ietv32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ietx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieup32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieuv.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieuw.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ievk32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ievl32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ievu.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\iewj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iewk.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iewy32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iezj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipan32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipaq32.exe

[Wearnie]

I think the last log may have been to large but hopefully it gives an idea..So i have attached the Hijack this update here....
Regards David



Logfile of HijackThis v1.99.1
Scan saved at 10:06:43 PM, on 26/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Installs\security suite\ewidoctrl.exe
C:\Program Files\Installs\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Installs\Hijack this Reports\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://afl.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105191519187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Installs\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Installs\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[greyknight17]

Hi David, delete this file -> C:\WINDOWS\desktop.html

Run that smitfraud.reg file again and merge it. Now see if you can change your wallpaper.

Download CWShredder at http://www.greyknigh.../CWShredder.exe and run it. Click on 'I Agree' button if you agree with it. Click on 'Fix' (it will automatically fix anything it finds for you) and OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Print or copy the below to notepad for later viewing.

Boot into Safe Mode.

Check and fix these in HijackThis:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home

Delete this file if found -> C:\WINDOWS\system32\ntnut.exe

I also want you to delete all those files found in the Panda scan if they still exist.

Restart and post a new HijackThis and Panda log.

[Wearnie]

GreuKnight17
l have gone through the process as described. Except i was unsure where to find the details off the panda scan to delete....but i ran another scan and results are as follows....hijack this to follow on next post


Incident Status Location

Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/Virmaid No disinfected Windows Registry
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addya.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addye32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addzc32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addzo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apibe32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apict32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apidn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apids.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apidz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apieg32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiff32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apifi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apigv32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apihj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apihz32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apijg32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apikh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apikk32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apikt32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apilf.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiln.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apimh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apioj.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apipa.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apipy32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apirn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apisz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apitj.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apitm.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apivf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apivj.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apixk.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apiyh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appau.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appdz.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appea.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appes.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appfe32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appfw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appgo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appgx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apphm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appid32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appih32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appin.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appiy32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appje32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appmu.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apppo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apppu.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appqa32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appqm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\apprb32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appsr32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appui32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appuq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appuw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appwq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appyb32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appyu32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appyx.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\appzd.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlaf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlbh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlbi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlch.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlci32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atldh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlhn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlil.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlkq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlky32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlls32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atllz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlmo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlmx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlnx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlpf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlpn32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlqa.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlqn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlrd32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlrp.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlry32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlsj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlst.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlta.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atltx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlxc.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlyp32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlzr.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlzt.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\atlzx.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\cgqzc.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crbc.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crby32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crct32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crdo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crdy.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\cred.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crfu32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crgc32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crge32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crhd.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crhu32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crit.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crjv32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crmx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crne.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crpc.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crpi32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crpq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crps32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crrq32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\cruc32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crun32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\cruw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\cruz32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crvd.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crvo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crwp.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crwq.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crya.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crye32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\cryu.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crza.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crzf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crzw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\crzz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3am32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3az32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3bm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3dl.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3gq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3jb32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3kb.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ke32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ml.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3mn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3mu32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3nw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ok32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3pi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3rq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ve32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3xc.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3xd.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3xm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3xz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3ym.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\d3zi.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\dmtib.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\ehjyy.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieab32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieac32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieaj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieas32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieci32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iecy.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iedz32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieec32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieed32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieee.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieee32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ieex.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iefg32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iefi.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieft32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iegh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iegs.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieoo.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iepm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iepp32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ierj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iesa32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ietd32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ietv32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ietx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieup32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieuv.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ieuw.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ievk32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ievl32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ievu.exe
Adware:Adware/Startpage.AS No disinfected C:\WINDOWS\iewj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iewk.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iewy32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\iezj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipan32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipaq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipdo.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipee.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipem.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\ipfa.exe

[Wearnie]

here is the latest hijack this file......thnak you again for your patience with me regeards david

Logfile of HijackThis v1.99.1
Scan saved at 10:49:41 PM, on 27/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Installs\security suite\ewidoctrl.exe
C:\Program Files\Installs\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Installs\Hijack this Reports\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105191519187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Installs\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Installs\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[greyknight17]

Boot into Safe Mode to do the below.

Run CWShredder again.

For the files to delete in Panda, I just want you to delete those files listed there manually.

For example, take this one -> Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\addya.exe

Delete the c:\windows\addya.exe file.

Then go to the next one and delete that file specified there.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home

Delete this file -> C:\WINDOWS\system32\ntnut.exe

I want you to upload this file (C:\WINDOWS\system32\shdocpe.dll) to this site and submit it. Post the report here.

[Wearnie]

this is the result of the panda scan below i could not find this file to delete it.

Incident Status Location

Adware:Adware/Virmaid No disinfected Windows Registry


and here is the latest Hijack This file
Regards

Logfile of HijackThis v1.99.1
Scan saved at 2:17:57 AM, on 29/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Installs\security suite\ewidoctrl.exe
C:\Program Files\Installs\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Installs\Hijack this Reports\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105191519187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Installs\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Installs\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks again for your efforts

[Wearnie]

Also l cant default my own start up IE page...this is the link it loads everytime

res://C:\WINDOWS\system32\shdocpe.dll/security.htm

how can i erase this and default my own ?

[greyknight17]

OK, boot into Safe Mode again.

Now, make sure that Ad-Watch is disabled/closed before doing the fix. It may be interferring here, so close it if it's still running.

Then check and fix these in HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocpe.dll/security.htm#subID=BSW;677
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocpe.dll/asst.htm
O4 - HKLM\..\Run: [Fast start] C:\WINDOWS\system32\ntnut.exe home

Delete this file -> C:\WINDOWS\system32\ntnut.exe

See if you can find a file called security.htm and delete that file also.

Restart and post a new HijackThis log.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.