Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Internet Optomizer, ISTsvc, ProSiteFinder + [RESOLVED]


  • This topic is locked This topic is locked

#1
Random User #412

Random User #412

    Member

  • Member
  • PipPip
  • 21 posts
I purchased this rather new computer at an extremely low price [Reason; It was already infected], and now I want to make it useable, without all sorts of Spyware problems. However, I need help removing most of them.

These are the programs which show up on the Add/Remove Programs list that I am not too sure about [Some of them I know are Spyware programs];

D-Helper Web Driver
Internet Optomizer
ISTsvc
Power Scan
ProSiteFinder
Select CashBack
SideFind
SlotchBar
Surf Accuracy
Surf SideKick
TContext
WierdOnTheWeb
Win-dh
[Also, on several occasions, I have been prompted to install 180SearchAssistant, the only one I got rid of myself (Or, at least, I thought I did)]

EDIT: I wish I had caught this before [It wasn't showing up then] but now I have the UCMore Toolbar on my Internet Explorer windows. It and The BullsEye Network have now shown up on the Add/Remove Programs list.

Here is my HijackThis Log;

Logfile of HijackThis v1.99.1
Scan saved at 12:08:50 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\runddls.exe
C:\WINDOWS\System32\MSASP32.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\Program Files\ProSiteFinder\prositefinder.exe
C:\WINDOWS\System32\9jnh31nk.exe
C:\WINDOWS\System32\wuamkop32.exe
C:\WINDOWS\pfhubsis.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\nppsole.exe
C:\WINDOWS\System32\Lenrui.exe
C:\WINDOWS\System32\MSASP32.exe
C:\WINDOWS\System32\ncoemgmt.exe
c:\msap32.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\system32\MSASP32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: (no name) - {00000000-0000-4751-B8C7-B54C6DA274E5} - C:\Program Files\ProSiteFinder\ProSiteFinder.dll
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [Windows AutomaticUpdater] runddls.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [9jnh31nk] C:\WINDOWS\System32\9jnh31nk.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [uaRV7THT] C:\WINDOWS\pfhubsis.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\SHANEM~1\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [3s9W39R] nppsole.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Mbkerx.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Lenrui.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunServices: [Windows AutomaticUpdater] runddls.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [IBq6RVdth] ncoemgmt.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O23 - Service: Mouse Click Monitor (mousecm) - Unknown owner - C:\WINDOWS\System32\mousecm.exe
O23 - Service: Windata Explorer32 (Windata Explorer) - Unknown owner - C:\WINDOWS\msdisplay.exe

Edited by Random User #412, 30 July 2005 - 04:37 PM.

  • 0

Advertisements


#2
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Run all these oline virus scans and tell me what they find.

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://www3.ca.com/t...sinfo/scan.aspx

2. Then please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

Open Ewido again
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Reboot and Post the report Ewido made and a new Hijackthis log here in a reply.
  • 0

#3
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Trend Micro;
TROJAN_ROOTKIT.E
TROJ_DLOADER.MG
TROJ_AGENT.NJ
TROJ_AGENT.RS
TROJ_AGENT.RS

Panda Active Scan;
Incident Status Location

Adware:Adware/Apropos No disinfected C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM32\LENRUI.EXE
Adware:Adware/DealHelper No disinfected C:\WINDOWS\SYSTEM32\MBKERX.EXE
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\9JNH31NK.EXE
Adware:Adware/Weirdontheweb No disinfected C:\PROGRAM FILES\WEIRDONTHEWEB\WEIRDONTHEWEB.EXE
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\ProSiteFinder\ProSiteFinder.DLL
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\ProSiteFinder\prositefinderh.exe
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\bbchk.exe
Adware:adware/exactsearch No disinfected C:\WINDOWS\SYSTEM32\exdl.exe
Adware:adware/dealhelper No disinfected C:\WINDOWS\SYSTEM32\HookPopup.dll
Adware:adware/ncase No disinfected C:\DOCUMENTS AND SETTINGS\SHANE MOORE\LOCAL SETTINGS\TEMP\180sainstaller.exe
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\SHANE MOORE\LOCAL SETTINGS\TEMP\auf0.exe
Adware:adware/apropos No disinfected C:\DOCUMENTS AND SETTINGS\SHANE MOORE\LOCAL SETTINGS\TEMP\cfout.txt
Spyware:spyware/istbar No disinfected C:\DOCUMENTS AND SETTINGS\SHANE MOORE\LOCAL SETTINGS\TEMP\iinstall.exe
Spyware:spyware/dyfuca No disinfected C:\DOCUMENTS AND SETTINGS\SHANE MOORE\LOCAL SETTINGS\TEMP\optimize.exe
Adware:adware/sidefind No disinfected C:\DOCUMENTS AND SETTINGS\SHANE MOORE\LOCAL SETTINGS\TEMP\sidefind.exe
Adware:adware/topconvert No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\website.ocx
Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\SHANE MOORE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\Ssk.log
Adware:adware/weirdontheweb No disinfected C:\DOCUMENTS AND SETTINGS\SHANE MOORE\FAVORITES\WeirdOnTheWeb.url
Adware:adware/delfinmedia No disinfected C:\keys.ini
Adware:adware/sahagent No disinfected C:\WINDOWS\shop1004.exe
Adware:adware/ucmore No disinfected C:\WINDOWS\ucmoreiex.exe
Adware:adware/powerscan No disinfected C:\PROGRAM FILES\Power Scan
Adware:adware/surfaccuracy No disinfected C:\PROGRAM FILES\SurfAccuracy
Adware:adware/cws No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/ISTACTIVEX.DLL
Adware:adware/mediatickets No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TESTCONTENTMATCHCONTROL1.CONTENTMATCHTAG.1
Adware:adware/exact.cashback No disinfected HKEY_CLASSES_ROOT\ADP.URLCATCHER
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\DDATE
Spyware:spyware/media-motor No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\REVISIONS
Adware:adware/wupd No disinfected HKEY_CLASSES_ROOT\CLSID\{15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6}
Adware:Adware/nCase No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\180sainstaller.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\auf0.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\AutoUpdate0\auto_update_install.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\AutoUpdate0\setup.inf
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\bb.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\Del10.tmp
Adware:Adware/nCase No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\Del1A.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\iA.tmp
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\iinstall.exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\optimize.exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\res11.tmp
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\sidefind.exe
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temp\V7QACVFO.dll
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\CHMJGTUJ\installer_SIAC[1].exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\CHMJGTUJ\optimize[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\CHMJGTUJ\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\CHMJGTUJ\webservice[3].htm
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\CHMJGTUJ\website[1].ocx
Adware:Adware/Weirdontheweb No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\CHMJGTUJ\weirdontheweb_topc[1].exe
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\GLMZ092F\bridge-c267[2].cab
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\GLMZ092F\bridge-c267[2].cab[MediaGatewayX.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\GLMZ092F\thin-114-1-x-x[1].exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\K1ANKHAR\init[1].js
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\K1ANKHAR\optimize314[1].exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\K1ANKHAR\prompt_ie_win[1].js
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\K1ANKHAR\protect[1].htm
Adware:Adware/nCase No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\K1ANKHAR\stubinstaller5975[1].exe
Adware:Adware/Ucmore No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\K1ANKHAR\ucmoreiex[1].exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\WXQ3KHUN\nem220[1].dll
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\WXQ3KHUN\package_adp_SIAC[1].exe
Adware:Adware/SAHAgent No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\WXQ3KHUN\shop1005[1].exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\WXQ3KHUN\SSK3_B5[1].exe
Adware:Adware/Alexa-Toolbar No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\WXQ3KHUN\tcv[1].p
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\WXQ3KHUN\thisone[1].p
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\WXQ3KHUN\webservice[1].htm
Adware:Adware/Ucmore No disinfected C:\Documents and Settings\Shane Moore\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk
Adware:Adware/Ucmore No disinfected C:\Documents and Settings\Shane Moore\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk
Virus:Trj/Downloader.BWM Disinfected C:\ftplog.exe
Adware:Adware/PurityScan No disinfected C:\install_george.exe
Adware:Adware/Alexa-Toolbar No disinfected C:\msap32.exe
Spyware:Spyware/Dyfuca No disinfected C:\mssci32.exe
Adware:Adware/Alexa-Toolbar No disinfected C:\mssrv32.exe
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate\AutoUpdate.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\BullsEye Network\bin\bargains.exe
Spyware:Spyware/ISTbar No disinfected C:\Program Files\ISTbar\cmctl.dll
Spyware:Spyware/ISTbar No disinfected C:\Program Files\ISTbar\istbarcm.dll
Spyware:Spyware/ISTbar No disinfected C:\Program Files\ISTbar\xml_istbar.xml
Spyware:Spyware/ISTbar No disinfected C:\Program Files\ISTsvc\istsvc.exe


Computer Associates Antivirus;
bb.exe Win32.SillyDl.JB
C:\Documents and Settings\Shane Moore\Local Settings\Temp\
dealhelper.exe Win32.SillyDl.FG
C:\Documents and Settings\Shane Moore\Local Settings\Temp\
installer_SIAC[1].exe Win32.SillyDl.JB
C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\CHMJGTUJ\
optimize[1].exe Win32.Dyfuca.E
C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\CHMJGTUJ\
optimize314[1].exe Win32.Dyfuca.P
C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\K1ANKHAR\
nem220[1].dll Win32.Dyfuca.D
C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\WXQ3KHUN\
AutoUpdate.exe Win32.Propo!downloader
C:\Program Files\AutoUpdate\
istsvc.exe Win32.SillyDl.PO infected C:\Program Files\ISTsvc\
A0003448.sys Win32.Efewe.E
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP43\
A0003500.exe Win32.BettInet.BD
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0003509.exe Win32.BettInet.BD
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0003511.sys Win32.Efewe.E
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0003549.sys Win32.Efewe.E
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0003561.exe Win32.BettInet.BD
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0003569.exe Win32.BettInet.BE
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0003573.sys Win32.Efewe.E
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0003576.exe Win32.BettInet.BD
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0003583.exe Win32.BettInet.BD
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0003965.exe Win32.BettInet.BE
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0005133.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0005134.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0005376.sys Win32.Efewe.E
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0005378.exe Win32.BettInet.BD
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0006375.sys Win32.Efewe.E
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0007375.sys Win32.Efewe.E
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0007378.exe Win32.BettInet.BD
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\
A0001903.exe Win32.BettInet.BD
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002408.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002410.dll Win32.BettInet
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002413.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002568.exe Win32.Imiserv.N
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002833.exe Win32.SillyDl.MP
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002840.exe Win32.BettInet.BD
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002842.exe Win32.SillyDl.MP
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002967.exe Win32.BettInet.BD
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002973.exe Win32.BettInet.BD
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002979.exe Win32.BettInet.BD
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002984.exe Win32.SillyDl.MP
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002993.exe Win32.BettInet.BE
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0002996.exe Win32.SillyDl.TC
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0003005.dll Win32.BettInet
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0003023.exe Win32.SillyDl.MP
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0003083.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0003100.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0004057.exe Win32.SillyDl.MP
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0004095.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0004110.exe Win32.SillyDl.MP
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006255.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006256.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006284.sys Win32.Efewe.E
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006300.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006313.exe Win32.Dyfuca.E
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006314.exe Win32.SillyDl.JB
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006315.dll Win32.Dyfuca.D
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006319.exe Win32.Dyfuca.E
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006321.exe Win32.WinAd.AK
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006330.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006348.exe Win32.Dyfuca.P
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006399.dll Win32.Dyfuca.D i
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006403.sys Win32.Efewe.E
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006418.exe Win32.SillyDl.PO
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006427.exe Win32.SillyDl.FG
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006436.exe Win32.SillyDl.JB
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006439.exe Win32.SillyDl.JC
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006453.dll Win32.Dyfuca.D
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
A0006491.exe Win32.SillyDl.MP
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\
installer_SIAC.exe Win32.SillyDl.JB
C:\WINDOWS\
nem220.dll Win32.Dyfuca.D
C:\WINDOWS\
optimize.exe Win32.Dyfuca.E
C:\WINDOWS\
rdriv.sys Win32.Efewe.E
C:\WINDOWS\SYSTEM32\

I am about to follow the procedures to be done in Safe Mode. I will update this post when I am done.


EDIT:

ewido security suite Log;

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:44:11 PM, 7/30/2005
+ Report-Checksum: 4004A67D

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\3Fqc1LMfWZaO -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\3Fqq1LMfWZaO -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{38601801-2FF5-4A62-95DA-D2007161C1B4} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FAA356E4-D317-42a6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0985C112-2562-46F2-8DA6-92648BA4630F} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0E704BA4-C517-4BE7-A1CD-C3FFDA1E1FFE} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{339D8AFF-0B42-4260-AD82-78CE605A9543} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4FE82BA0-9335-4D4E-8E98-76409A88F2C1} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A36A5936-CFD9-4B41-86BD-319A1931887F} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{ACE5B10B-92A3-4103-8583-3684BB09409F} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTbar.BarObj -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTbar.BarObj\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\SideFind.Finder -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\SideFind.Finder\CLSID -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\SideFind.Finder\CurVer -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CurVer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{487E7682-B976-41FB-A944-E8B83689A454} -> Spyware.TopConverting : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{58634367-D62B-4C2C-86BE-5AAC45CDB671} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{67907B3C-A6EF-4A01-99AD-3FCD5F526429} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0288A41-9855-4A9B-8316-BABE243648DA} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E9A5B71C-093B-4F34-AF07-34FCA89BA0DF} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\dealhelper -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\dealhelper\KeyWord -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\Envolo -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\State -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\Tasks -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\ISTbar -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\ISTbar\Historyfiles -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\ISTbar\Historystring -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\ISTsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Microsoft\SideFind -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dealhelper -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTbar -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ISTsvc -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SideFind -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\PowerScan -> Spyware.PowerScan : Cleaned with backup
HKLM\SOFTWARE\SideFind -> Spyware.SideFind : Cleaned with backup
HKLM\SOFTWARE\SideFind\History -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1004336348-813497703-1957994488-1003\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1004336348-813497703-1957994488-1003\Software\Effective-i -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1004336348-813497703-1957994488-1003\Software\Effective-i\TheSearchAccelerator -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1004336348-813497703-1957994488-1003\Software\Effective-i\TheSearchAccelerator\IE5 -> Spyware.EffectiveBrandToolbar : Cleaned with backup
HKU\S-1-5-21-1004336348-813497703-1957994488-1003\Software\IST -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1004336348-813497703-1957994488-1003\Software\Maxthon\Plugin\toolbar\{44BE0690-5429-47f0-85BB-3FFD8020233E} -> Spyware.UCmore : Cleaned with backup
HKU\S-1-5-21-1004336348-813497703-1957994488-1003\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1004336348-813497703-1957994488-1003\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1004336348-813497703-1957994488-1003\Software\PowerScan -> Spyware.PowerScan : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Shane Moore\Cookies\shane moore@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Shane Moore\Local Settings\Temp\180sainstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Shane Moore\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\Shane Moore\Local Settings\Temp\bb.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\Shane Moore\Local Settings\Temp\dealhelper.exe -> TrojanDownloader.Agent.hw : Cleaned with backup
C:\Documents and Settings\Shane Moore\Local Settings\Temp\sidefind.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\Documents and Settings\Shane Moore\Local Settings\Temporary Internet Files\Content.IE5\SLQB8923\website[1].ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\install_george.exe -> Spyware.PurityScan : Cleaned with backup
C:\mssrv32.exe -> TrojanDownloader.WinAD.h : Cleaned with backup
C:\mswinset.exe -> TrojanDownloader.Dyfuca.em : Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\Program Files\ISTbar\cmctl.dll -> Spyware.AdMir : Cleaned with backup
C:\Program Files\ISTsvc\istsvc.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\Program Files\Power Scan\powerscan.exe -> Spyware.PowerScan : Cleaned with backup
C:\Program Files\Power Scan\uninstall.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\Program Files\ProSiteFinder\ProSiteFinder.dll -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\ProSiteFinder\prositefinder.exe -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\SideFind\sfbho.dll -> Spyware.SideFind : Cleaned with backup
C:\Program Files\SideFind\sidefind.dll -> Spyware.SideFind : Cleaned with backup
C:\Program Files\SideFind\update\sidefind.exe -> TrojanDownloader.IstBar.jm : Cleaned with backup
C:\Program Files\SurfAccuracy\SAcc.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\Program Files\SurfAccuracy\SAccU.exe -> Spyware.SurfAccuracy : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll -> Spyware.UCmore : Cleaned with backup
C:\Program Files\WeirdOnTheWeb\weirdontheweb.exe -> Spyware.WeirWeb : Cleaned with backup
C:\RECYCLER\S-1-5-21-1004336348-813497703-1957994488-500\Dc41.exe -> TrojanDownloader.IstBar.jt : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP331\A0217831.dll -> TrojanDownloader.Rameh.c : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP331\A0218003.dll -> Spyware.WildTangent : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP340\A0221518.exe -> Spyware.CommonName : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP341\A0224731.dll -> Spyware.MBKWBar : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP43\A0003448.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003492.exe -> Spyware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003500.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003504.dll -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003509.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003511.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003520.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003525.dll -> TrojanDownloader.Dyfuca.eg : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003526.dll -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003527.dll -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003528.exe -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003538.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003545.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003546.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003549.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003561.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003567.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003569.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003573.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003576.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003579.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003583.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0003965.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0004919.exe -> Spyware.CommonName.j : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0004920.exe -> Spyware.CommonName : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0004921.dll -> Spyware.CommonName : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0005035.dll -> Spyware.CommonName : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0005036.exe -> Spyware.CommonName : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0005037.SYS -> Trojan.Rootkit.Agent.q : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0005069.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0005133.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0005134.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0005376.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0005378.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0006375.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0007375.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{A3A5DD2B-1FB1-459C-8D45-F48884312160}\RP44\A0007378.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0001873.exe -> Spyware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0001875.exe -> Adware.Saha : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0001876.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0001877.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0001882.exe -> Spyware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0001903.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0001905.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0001994.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002408.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002410.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002413.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002420.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002427.dll -> TrojanDownloader.Dyfuca.eg : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002428.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002432.EXE -> Spyware.SmartPops : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002568.exe/enhupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002833.exe -> TrojanDownloader.Small.aqt : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002840.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002842.exe -> TrojanDownloader.Small.aqt : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002903.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002909.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002967.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002973.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002979.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002984.exe -> TrojanDownloader.Small.aqt : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002986.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002987.exe -> TrojanDownloader.Small.asf : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002990.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002990.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002991.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002992.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002993.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002996.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002997.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{E15A3E71-D5CC-404D-8788-A13F2C64CE5A}\RP5\A0002998.exe -> Trojan.Imiserv.c : Cleaned with

Edited by Random User #412, 30 July 2005 - 09:49 PM.

  • 0

#4
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Post a new Hijackthis log here in a reply.
  • 0

#5
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:46:10 PM, on 7/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nppsole.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\WINDOWS32.exe
C:\WINDOWS\System32\ncoemgmt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: (no name) - {00000000-0000-4751-B8C7-B54C6DA274E5} - C:\Program Files\ProSiteFinder\ProSiteFinder.dll (file missing)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [Windows AutomaticUpdater] runddls.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [9jnh31nk] C:\WINDOWS\System32\9jnh31nk.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [uaRV7THT] C:\WINDOWS\pfhubsis.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\SHANEM~1\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [3s9W39R] nppsole.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Mbkerx.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Lenrui.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\RunServices: [Windows AutomaticUpdater] runddls.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [IBq6RVdth] ncoemgmt.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c267.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Mouse Click Monitor (mousecm) - Unknown owner - C:\WINDOWS\System32\mousecm.exe (file missing)
  • 0

#6
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: (no name) - {00000000-0000-4751-B8C7-B54C6DA274E5} - C:\Program Files\ProSiteFinder\ProSiteFinder.dll (file missing)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [Windows AutomaticUpdater] runddls.exe
O4 - HKLM\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [9jnh31nk] C:\WINDOWS\System32\9jnh31nk.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamkop32.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [uaRV7THT] C:\WINDOWS\pfhubsis.exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\SHANEM~1\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [3s9W39R] nppsole.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Mbkerx.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Lenrui.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\RunServices: [Windows AutomaticUpdater] runddls.exe
O4 - HKLM\..\RunServices: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamkop32.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKCU\..\Run: [MS Auto-IPSec Protection] MSASP32.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [IBq6RVdth] ncoemgmt.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c267.cab
O23 - Service: Mouse Click Monitor (mousecm) - Unknown owner - C:\WINDOWS\System32\mousecm.exe (file missing)

4. Delete the folders. (if present)

C:\Program Files\Aprps
C:\Program Files\WeirdOnTheWeb\
C:\Program Files\SurfSideKick 3\
C:\Program Files\ProSiteFinder\
C:\Program Files\Media Gateway\
C:\Program Files\ISTsvc\
C:\Program Files\SurfAccuracy\
C:\Program Files\BullsEye Network\
C:\Program Files\Power Scan\
C:\Program Files\AutoUpdate\

5. Delete the files. (if present)

C:\WINDOWS\SYSTEM32\LENRUI.EXE
C:\WINDOWS\SYSTEM32\MBKERX.EXE
C:\WINDOWS\SYSTEM32\bbchk.exe
C:\WINDOWS\SYSTEM32\exdl.exe
C:\WINDOWS\SYSTEM32\HookPopup.dll
C:\keys.ini
C:\WINDOWS\shop1004.exe
C:\WINDOWS\ucmoreiex.exe
C:\WINDOWS\System32\9jnh31nk.exe
C:\WINDOWS\pfhubsis.exe
C:\Documents and Settings\Shane Moore\Local Settings\Temp\cxtpls_loader.exe
C:\WINDOWS\System32\Mbkerx.exe
C:\WINDOWS\System32\Lenrui.exe
C:\install_george.exe
C:\msap32.exe
C:\mssci32.exe
C:\mssrv32.exe
C:\WINDOWS\System32\mousecm.exe

These files might either be found in C:\ C:\Windows or C:\Windows\System32 if found delete.

wuamkop32.exe
runddls.exe
MSASP32.exe
nppsole.exe
WINDOWS32.exe
ncoemgmt.exe

6. Reboot and post a new Hijackthis log here in a reply.
  • 0

#7
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Logfile of HijackThis v1.99.1
Scan saved at 8:17:11 PM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\tftp.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Mouse Click Monitor (mousecm) - Unknown owner - C:\WINDOWS\System32\mousecm.exe (file missing)
  • 0

#8
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Go to start, run type "services.msc" with out the quotes find the service.

Mouse Click Monitor

Right click and stop it, make the start up type to disabled. When you have done that go into Hijackthis > open the misc tools section > delete an NT service and delete mousecm. Then post a new Hijackthis log here in a reply.
  • 0

#9
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:11:35 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\WINDOWS\System32\runddls.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O4 - HKLM\..\Run: [Windows AutomaticUpdater] runddls.exe
O4 - HKLM\..\RunServices: [Windows AutomaticUpdater] runddls.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#10
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

O4 - HKLM\..\Run: [Windows AutomaticUpdater] runddls.exe
O4 - HKLM\..\RunServices: [Windows AutomaticUpdater] runddls.exe

5. Delete the files. (if present)

These files might either be found in C:\ C:\Windows or C:\Windows\System32 if found delete.

runddls.exe

6. Reboot and post a new Hijackthis log here in a reply.

Also go to http://virusscan.jotti.org/ and upload C:\Windows\Explorer.exe and tell me the results.
  • 0

Advertisements


#11
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Jotti Results;

File: Explorer.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 a82b28bfc2e4455fe43022a498c0ef0a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found W32/SDBot.E0C5-net
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Logfile of HijackThis v1.99.1
Scan saved at 3:50:53 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#12
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
Ok as you have had lots of infections before I want to say you are clean use your PC as you would for about a day or so then post a new Hijackthis log here in a reply for me to make sure its still clean.
  • 0

#13
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Okay, thanks. I'll post a new HijackThis Log in a day or so.

EDIT: I have a question. Some of the programs still show up on the Add/Remove Programs window. I this normal? Should I delete them, or leave them for now?

Edited by Random User #412, 02 August 2005 - 08:01 PM.

  • 0

#14
therock247uk

therock247uk

    Expert

  • Expert
  • 14,671 posts
  • MVP
You can delete them with Hijackthis open Hijackthis click open the misc tools section > uninstall manager.
  • 0

#15
Random User #412

Random User #412

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Okay, I'll do that.

Here is the newest HijackThis Log;

EDIT; I scanned again shortly after the first scan, and two new entries showed up - The two 04 ones.

Logfile of HijackThis v1.99.1
Scan saved at 3:05:17 PM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\WINDOWS32.exe
C:\WINDOWS\System32\ss.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Shane Moore\Desktop\HijackThis\HijackThis.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
O4 - HKLM\..\Run: [WINDOWS STARTUP] WINDOWS32.exe
O4 - HKLM\..\RunServices: [WINDOWS STARTUP] WINDOWS32.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Edited by Random User #412, 03 August 2005 - 07:07 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP