Hi, thank you for looking at my problem.
Followed your instructions and here's the results,
of the two 'R0' entries only the second showed up after the ewido scan, so I removed it.
what was odd was that post the final HJT scan the first 'R0' has now showed up. I haven't done anything to it yet though, stopped after scan.
final HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 23:51:00, on 2005-07-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) -
http://support.euro....er/PROFILER.CABO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
panda log:
Incident Status Location
Adware:Adware/Smitfraud No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Björn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-4514e5ea-73e08cee.zip[InstallerApplet.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Björn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv164.jar-226df11-4d36cb91.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Björn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv164.jar-226df11-4d36cb91.zip[Matrix.class]
ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 23:13:00, 2005-07-09
+ Report-Checksum: 6A6D842C
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{FF8DA190-3574-11D4-8068-0060082AE372} -> Spyware.BingoFun : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Björn\Application Data\Mozilla\Firefox\Profiles\ntyv78kx.Default User\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Björn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-7e98c37b.class -> TrojanDownloader.Small.wv : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050709-004005-299.dll -> Trojan.Puper.m : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP80\A0032598.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP80\A0032599.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP80\A0032694.exe -> Trojan.Agent.ff : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP80\A0032699.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP80\A0032709.exe -> Trojan.Agent.ff : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP81\A0033008.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP81\A0033012.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP81\A0033014.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP82\A0033035.dll -> Trojan.Agent.ff : Cleaned with backup
::Report End
from briefly observing system, i get no annoying popups, but it runs a bit sluggish still.