OK here we go...
This HJT log was just created after getting online to send this post. As you can see an 017 came back. In step 4 of your instructions I found no 017 to fix. I looked in safe and normal mode. I'm feeling hopeful, let me know what all this means!?!?!
Here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 9:40:34 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Andy's Files\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.c.../search/ie.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.c...//www.yahoo.comO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\System32\oline.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) -
http://activex.micro...eb/ikcntrls.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{94DA7127-4609-4910-A5C0-09F2371F7E95}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
here's the Ewido scan log. It cleaned 34 infected objects, some of which were ones that Norton was unable to get rid of.
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 9:26:19 PM, 7/25/2005
+ Report-Checksum: E0094DAD
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{EE6AE627-8F18-4986-BEAD-52073EDFC776} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\XParam.XParamObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\XParam.XParamObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\XParam.XParamObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2000478354-507921405-1060284298-1004\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-2000478354-507921405-1060284298-1004\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_29.exe -> TrojanDownloader.Mediket.ae : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP116\A0026343.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP116\A0026344.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027878.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027879.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027881.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027882.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028555.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028556.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028557.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028558.dll -> Spyware.Zbar : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028559.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028560.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028572.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028573.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028574.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028575.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028576.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028577.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028578.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028579.dll -> Spyware.Banex : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028582.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP120\A0028637.dll -> Spyware.Zbar : Cleaned with backup
C:\Andy's Files\backups\backup-20050706-092156-829.dll -> Spyware.180Solutions : Cleaned with backup
C:\Andy's Files\backups\backup-20050711-114008-280.dll -> Spyware.WinAD : Cleaned with backup
::Report End
Here's the log.txt from remv3:
The batch is run from -- C:\Andy's Files\remv3 folder
Files Found.................
----------------------------------------
Files Not deleted.................
----------------------------------------
Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------
Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 386A-10DA
Directory of C:\WINDOWS\SYSTEM32
msi.dll
Finished