[kusash]

hi..

i realise that someone has already post up a request to remove oneclicksearches spyware.

http://www.geekstogo...VED-t41883.html

However my log file is alot different from him (his name is Wazoo). i tried the method posted and while scanning with HJT i can only check this:

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hpA011.tmp

The above is the only thing similar. I proceed to do the rest as posted.

i have use Ewido Security Suite to scan and remove further spyware and adware.

The following is my report.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:09:35 PM, 7/18/2005
+ Report-Checksum: 37185CA0

+ Scan result:

C:\WINDOWS\system32\config\systemprofile\Cookies\administrator@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\marcus.lok.2004\Local Settings\Temporary Internet Files\Content.IE5\3D5W11C3\input[1].php -> Not-A-Virus.Exploit.HTML.DragDrop : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\251C3E49-CABD-4BD2-B1B6-C8CB26\F88F182C-3067-4A1B-BBFD-B10ADD -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015667.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015668.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015669.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015671.EXE -> Trojan.Agent.ay : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015672.dll -> Spyware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015673.dll -> Spyware.BiSpy : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015680.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015681.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015682.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015699.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015700.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015701.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015711.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015713.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP99\A0015714.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP101\A0015759.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP101\A0015760.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP101\A0015761.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015811.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015812.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015813.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015815.dll -> Trojan.Puper.m : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015835.dll -> Trojan.Puper.m : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015844.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015845.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015846.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015870.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015871.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015872.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015883.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015884.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015885.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015893.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015894.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015895.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015907.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015908.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP102\A0015909.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015960.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015961.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015962.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015978.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015979.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0015980.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016002.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016003.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016004.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016026.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016027.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016028.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016053.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016054.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016055.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016070.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016071.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0016072.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017116.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017117.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017118.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017124.exe -> Trojan.Puper.ab : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017126.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017127.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017128.exe -> Trojan.Puper.aa : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017129.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{6C7570DF-347B-468C-827D-CC7BA11C38CA}\RP103\A0017131.exe -> Trojan.Puper.w : Cleaned with backup


::Report End

Next i use Panda ActiveScan to do a scan and there appears to be still some more spyware and adware.

Incident Status Location

Adware:adware/transponder No disinfected C:\WINDOWS\LASTGOOD\INF\speer.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\Buddy.exe
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
Adware:adware/popuper No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\sprnopol.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\adrmsper.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\speer.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Virus:HackTool/Gendel.A No disinfected C:\gendel32.exe
They coulIncident Status Location

Adware:adware/transponder No disinfected C:\WINDOWS\LASTGOOD\INF\speer.inf
Spyware:spyware/betterinet No disinfected C:\WINDOWS\Buddy.exe
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ACTIVEX COMPATIBILITY\{53F066F0-A4C0-4F46-83EB-2DFD03F938CF}
Adware:adware/popuper No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
Adware:adware/brilliantdigitalNo disinfected HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\sprnopol.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\adrmsper.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\speer.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Buddy.exe
Virus:HackTool/Gendel.A No disinfected C:\gendel32.exe
They could not be remove. Can someone help me?

[Advertisements]

and by the way.. after i reboot from safe mode.. and run a scan on HJT i get the following..

Logfile of HijackThis v1.99.1
Scan saved at 8:28:11 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Symbol Commander\Sensiva.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.smu.edu.sg/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O4 - Global Startup: PC Health.lnk = C:\Program Files\TOSHIBA\TOSHIBA Management Console\TOSHealthLocalS.vbs
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121407672833
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O20 - Winlogon Notify: loginkey - C:\WINDOWS\System32\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

The thing is when i run it under safe mode the log file is very different. It doesn't detect the oneclicksearches.com stuff.

how???

[kusash]

and by the way.. after i reboot from safe mode.. and run a scan on HJT i get the following..

Logfile of HijackThis v1.99.1
Scan saved at 8:28:11 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Symbol Commander\Sensiva.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\Toshiba\TapButton\TapButt.exe
C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\SMU-VPN\cvpnd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\WINDOWS\System32\UAService7.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.smu.edu.sg/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [Sensiva] "C:\Symbol Commander\Sensiva.exe"
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [TosRotation] "C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe"
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TapButt] C:\Program Files\Toshiba\TapButton\TapButt.exe
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\Toshiba\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SMU VPN Client.lnk = C:\Program Files\SMU-VPN\ipsecdialer.exe
O4 - Global Startup: PC Health.lnk = C:\Program Files\TOSHIBA\TOSHIBA Management Console\TOSHealthLocalS.vbs
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121407672833
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\Software\..\Telephony: DomainName = student.smu.edu.sg
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = student.smu.edu.sg
O20 - Winlogon Notify: loginkey - C:\WINDOWS\System32\loginkey.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\SMU-VPN\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

The thing is when i run it under safe mode the log file is very different. It doesn't detect the oneclicksearches.com stuff.

how???