[hobie2]

I am having serious problems with my laptop. I can boot into safe mode but when I now try and boot to into normal mode but I can't click anything with the mouse. I have run ms antispyware, adaware, panda online scanner and trendmicro av trial version. I would appreciate any help you could provide.

Thank you in advance

Hobie2

Logfile of HijackThis v1.99.1
Scan saved at 5:11:53 PM, on 9/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Miriam\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ampmsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshlimn.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\kqwawiu.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Winsecure Antivirus] SECUREANTIVIRUS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [avnspril] c:\windows\system32\avnspril.exe
O4 - HKLM\..\Run: [Volume Controller] VolumeControl.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Miriam\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [xctxxkv] C:\WINDOWS\xctxxkv.EXE
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINDOWS\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Miriam\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [yjuwenc] C:\WINDOWS\yjuwenc.EXE
O4 - HKLM\..\RunServices: [Volume Controller] VolumeControl.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Volume Controller] VolumeControl.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\RunServices: [Volume Controller] VolumeControl.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125873050593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125899053218
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlyaWFt\command.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\urzrmrd.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\qchfsvc.exe

[Advertisements]

Welcome to GTG.

My that's bad OK, if you can't download these programs in Safe Mode, get it from another computer and burn them on a CD so you can install it on this computer.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download dsrfix.zip http://www.atribune....oads/dsrfix.zip and save it to your desktop. Unzip the dsrfix.zip contents to your desktop. This will create a new folder on your desktop named dsrfix. Do NOT open that folder yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ampmsearch.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshlimn.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\kqwawiu.dll (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Winsecure Antivirus] SECUREANTIVIRUS.EXE
O4 - HKLM\..\Run: [avnspril] c:\windows\system32\avnspril.exe
O4 - HKLM\..\Run: [Volume Controller] VolumeControl.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Miriam\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [xctxxkv] C:\WINDOWS\xctxxkv.EXE
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINDOWS\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Miriam\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [yjuwenc] C:\WINDOWS\yjuwenc.EXE
O4 - HKLM\..\RunServices: [Volume Controller] VolumeControl.exe
O4 - HKCU\..\Run: [Volume Controller] VolumeControl.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\RunServices: [Volume Controller] VolumeControl.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlyaWFt\command.exe (file missing)
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\urzrmrd.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\qchfsvc.exe

Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Uninstall these via the Add/Remove panel if listed:

Ebates
winCMAPP

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Locate and delete the following:

c:\Program Files\Ebates_MoeMoneyMaker\
c:\Program Files\WildTangent\
c:\Program Files\winCMAPP\
c:\WINDOWS\etb\
C:\WINDOWS\Nail.exe
c:\WINDOWS\qchfsvc.exe
c:\WINDOWS\svcproc.exe
c:\windows\system32\avnspril.exe
c:\WINDOWS\System32\gms2.exe
c:\WINDOWS\system32\kqwawiu.dll
c:\WINDOWS\System32\medgs1.exe
c:\WINDOWS\System32\opr.exe
c:\WINDOWS\System32\pkshlimn.dll
c:\WINDOWS\System32\pshwr.exe
c:\WINDOWS\system32\ssisvr32.exe
c:\WINDOWS\TWlyaWFt\
c:\WINDOWS\urzrmrd.exe
c:\WINDOWS\xctxxkv.EXE
c:\WINDOWS\yjuwenc.EXE
repairs.dll
SECUREANTIVIRUS.EXE
VolumeControl.exe

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis and Ewido.

Can you get to Normal Mode now? If so, make sure the HijackThis log is in Normal Mode (please tell me if you still can't get into Normal Mode if it's a problem).

[greyknight17]

Welcome to GTG.

My that's bad OK, if you can't download these programs in Safe Mode, get it from another computer and burn them on a CD so you can install it on this computer.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download dsrfix.zip http://www.atribune....oads/dsrfix.zip and save it to your desktop. Unzip the dsrfix.zip contents to your desktop. This will create a new folder on your desktop named dsrfix. Do NOT open that folder yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ampmsearch.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://qus8l.hpwis.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: PicShow Class - {4487598C-2EC7-43A2-870E-6D8D720FDD9F} - C:\WINDOWS\System32\pkshlimn.dll
O2 - BHO: (no name) - {7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} - C:\WINDOWS\system32\kqwawiu.dll (file missing)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Winsecure Antivirus] SECUREANTIVIRUS.EXE
O4 - HKLM\..\Run: [avnspril] c:\windows\system32\avnspril.exe
O4 - HKLM\..\Run: [Volume Controller] VolumeControl.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\Miriam\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [xctxxkv] C:\WINDOWS\xctxxkv.EXE
O4 - HKLM\..\Run: [System service65] C:\WINDOWS\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\System32\medgs1.exe
O4 - HKLM\..\Run: [GsAds] C:\WINDOWS\System32\gms2.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\Miriam\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [yjuwenc] C:\WINDOWS\yjuwenc.EXE
O4 - HKLM\..\RunServices: [Volume Controller] VolumeControl.exe
O4 - HKCU\..\Run: [Volume Controller] VolumeControl.exe
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\System32\pshwr.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\RunServices: [Volume Controller] VolumeControl.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....iTunesSetup.exe
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlyaWFt\command.exe (file missing)
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\urzrmrd.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\qchfsvc.exe

Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Uninstall these via the Add/Remove panel if listed:

Ebates
winCMAPP

WildTangent - This is an online gaming package that is installed by a number of third party applications and even OEMs, ISPs and AIM. The games aspect of this is really rather cool. The being installed without you asking for it isn't cool at all. They collect information about you and your usage. We recommend uninstalling it.

Locate and delete the following:

c:\Program Files\Ebates_MoeMoneyMaker\
c:\Program Files\WildTangent\
c:\Program Files\winCMAPP\
c:\WINDOWS\etb\
C:\WINDOWS\Nail.exe
c:\WINDOWS\qchfsvc.exe
c:\WINDOWS\svcproc.exe
c:\windows\system32\avnspril.exe
c:\WINDOWS\System32\gms2.exe
c:\WINDOWS\system32\kqwawiu.dll
c:\WINDOWS\System32\medgs1.exe
c:\WINDOWS\System32\opr.exe
c:\WINDOWS\System32\pkshlimn.dll
c:\WINDOWS\System32\pshwr.exe
c:\WINDOWS\system32\ssisvr32.exe
c:\WINDOWS\TWlyaWFt\
c:\WINDOWS\urzrmrd.exe
c:\WINDOWS\xctxxkv.EXE
c:\WINDOWS\yjuwenc.EXE
repairs.dll
SECUREANTIVIRUS.EXE
VolumeControl.exe

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis and Ewido.

Can you get to Normal Mode now? If so, make sure the HijackThis log is in Normal Mode (please tell me if you still can't get into Normal Mode if it's a problem).

[hobie2]

Thank you for the instructions greynight17. I will work on them tonight and post the information you reqested.

[hobie2]

Obviously I can't spell requested!

[hobie2]

Here are the log files you requested.

Should this be removed
(O4 - HKLM\..\Run: [pdsnnkk] C:\WINDOWS\pdsnnkk.EXE)?

hijackthis run in normal mode
Logfile of HijackThis v1.99.1
Scan saved at 10:47:00 PM, on 9/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssisvr32.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\pdsnnkk.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Miriam\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [pdsnnkk] C:\WINDOWS\pdsnnkk.EXE
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125873050593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125899053218
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

+++++++++
Ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:51:33 PM, 9/16/2005
+ Report-Checksum: 82028E18

+ Scan result:

C:\Program Files\Securexam Student\ssi_student.exe -> Heuristic.Win32.AVKiller : Ignored
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-560166912-1027346948-1536049589-1007\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-560166912-1027346948-1536049589-1007\Software\_rtneg2 -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-560166912-1027346948-1536049589-1007\Software\_rtneg2\eeennn -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-560166912-1027346948-1536049589-1007\Software\_rtneg2\kkws -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-560166912-1027346948-1536049589-1007\Software\_rtneg2\ppops -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-560166912-1027346948-1536049589-1007\Software\_rtneg2\reel -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-560166912-1027346948-1536049589-1007\Software\_rtneg2\ssites -> Spyware.Begin2Search : Cleaned with backup
C:\Documents and Settings\Miriam\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0D.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\CMAPP\cmappstub.exe -> TrojanDownloader.Agent.tf : Cleaned with backup
C:\Program Files\CMSystem\CMSystem.exe -> Spyware.CASClient : Cleaned with backup
C:\Program Files\CMSystem\plugin.dll -> Spyware.CASClient : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\12D58F22-59DA-4D3B-A7B6-253A06\FEAE3812-5B7D-4B18-AD5E-1C789A -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\3844EFAD-0BA4-4347-9E93-FF1388\178DBF4E-BEFD-4564-94DB-37BD11 -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4105A176-D73C-494F-BF78-02B9A9\E3D5E0DE-21C7-4B28-A728-8DAF2A -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\56F4E12A-34E9-4EE7-B8D5-2EC98F\EE92C6A5-98A0-491D-BA6E-06123F -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C50A34EE-55F7-49E8-9BAA-B7E02A\83489111-2613-4266-85DB-B1CA72 -> Trojan.Agent.ic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\DDB0D6B7-6D5D-49EF-ACB4-FB1884\1AF3FA4E-B120-4F66-BD39-A7E4F8 -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\E0BE136C-4670-419D-BC3F-D31031\8D5FEDF0-344F-4036-A046-7B54BB -> Trojan.Agent.db : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\WINDOWS\brmyictusnv.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\lumkzim.exe -> TrojanDropper.Agent.tb : Cleaned with backup
C:\WINDOWS\puljhti.exe -> TrojanDropper.Agent.tb : Cleaned with backup
C:\WINDOWS\system\QBTool.exe -> Trojan.Registrator.b : Cleaned with backup
C:\WINDOWS\system32\epb7wyc.dll -> Trojan.Kolweb.a : Cleaned with backup
C:\WINDOWS\system32\hxrtet.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\system32\netlanm.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\nsd252.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\system32\otuxjg.exe -> Trojan.Delf.cf : Cleaned with backup
C:\WINDOWS\system32\pkshfrfe.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\pkshlimn.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\pkshzbyu.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\pshwr.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\sav2.exe -> TrojanDownloader.Apropo.aj : Cleaned with backup
C:\WINDOWS\undiea.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\urzrmrd.exe -> TrojanDropper.Agent.tb : Cleaned with backup
C:\WINDOWS\visfxun.exe -> TrojanDownloader.VB.kd : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\yjuwenc.exe -> Spyware.Hijacker.Generic : Cleaned with backup

::Report End

+++++++
FindIT

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 09/16/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\RMAGEN~1.DLL
* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System32\2OG9BEUO.INI
* SAHAgent C:\WINDOWS\System32\G7TQQ760.INI
* SAHAgent C:\WINDOWS\System32\KKC8K2NF.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 44B0-3C2E

Directory of C:\WINDOWS\SYSTEM32

04/06/2005 05:19 PM <DIR> cache32_rtneg2
09/04/2005 10:58 AM <DIR> cache32_rtneg4
0 File(s) 0 bytes
2 Dir(s) 34,333,212,672 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 44B0-3C2E

Directory of C:\WINDOWS\system32

09/05/2005 03:25 PM 1,406 AddQuit.ico
03/20/2005 08:34 PM 2,998 bball.ico
01/27/2005 09:48 PM 2,526 bikini31.ico
04/22/2005 12:42 PM 3,262 bingo_big2.ico
09/04/2005 10:58 AM 3,262 bingo_big31.ico
09/04/2005 11:00 AM 3,262 bingo_big3123.ico
11/15/2004 04:27 PM 3,262 body2.ico
12/16/2004 12:07 PM 3,262 bubbles-ke2.ico
12/12/2004 01:38 PM 3,262 bubbles-ki.ico
01/22/2005 12:40 PM 2,526 bum.ico
11/04/2004 12:47 AM 2,238 celebslifestyle1.ico
03/15/2005 09:48 PM 3,262 conver radio 32x32-21.ico
12/17/2004 02:26 PM 3,262 creditcard321.ico
05/11/2005 07:18 PM 3,262 creditcard32123123123asdsa.ico
05/11/2005 07:18 PM 3,262 creditcard32123123123asdsa1.ico
09/04/2005 10:58 AM 3,262 creditcard32123123123asdsa12.ico
09/04/2005 11:00 AM 3,262 creditcard32123123123asdsa123.ico
01/11/2005 10:29 PM 4,286 datingpof1.ico
09/05/2005 03:25 PM 9,470 Desktop.ico
11/17/2004 08:55 PM 1,078 disk01.ico
03/23/2005 11:45 PM 3,262 eye41.ico
01/15/2005 11:22 AM 1,406 favicon(1)1.ico
12/12/2004 01:38 PM 4,286 greenmovie.ico
12/16/2004 12:07 PM 4,286 greenmovie2.ico
03/05/2005 04:30 PM 4,286 greenmovie2311.ico
03/06/2005 08:07 PM 4,286 greenmovie2313.ico
03/13/2005 11:08 AM 4,286 greenmovie2313asa.ico
04/06/2005 05:19 PM 4,286 greenmovie2313asaadsasfad.ico
05/11/2005 07:18 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
09/04/2005 11:00 AM 4,286 greenmovie2313asaadsasfad112341231adsfa1.ico
09/04/2005 10:58 AM 4,286 greenmovie2313asaadsasfad112341231adsfa123.ico
09/05/2005 03:25 PM 1,406 Help.ico
03/05/2005 04:30 PM 3,262 hotbod.ico
03/02/2005 08:35 PM 3,262 hotbod123121.ico
02/18/2005 11:15 AM 2,526 ibm laptop1.ico
03/05/2005 04:30 PM 2,526 ibm laptop21.ico
03/31/2005 12:38 AM 2,526 ibm laptop31.ico
03/05/2005 04:30 PM 3,262 ico_bikini49_gif_32x32.ico
09/05/2005 03:25 PM 5,350 IE.ico
12/09/2004 12:28 PM 4,286 internet popup blocker1.ico
03/07/2005 07:58 PM 3,262 kas pink1233.ico
03/23/2005 05:07 PM 3,262 kas pink1233a1.ico
04/14/2005 07:41 PM 3,262 kas pink1233aadsfa.ico
03/31/2005 12:38 AM 3,262 kas pink1233aadsfa1.ico
04/15/2005 12:25 AM 3,262 kas pink1233aadsfa12.ico
01/15/2005 11:22 AM 2,526 kas123123211.ico
02/27/2005 09:44 PM 3,262 kas4b.ico
03/15/2005 09:48 PM 3,262 kas4c1.ico
02/12/2005 11:25 AM 2,526 kasant1.ico
02/18/2005 11:15 AM 4,286 kevid231231.ico
04/07/2005 08:19 AM 4,286 kevid231231aa.ico
09/04/2005 11:00 AM 3,262 kill all spyware.ico
12/09/2004 12:28 PM 4,286 kill all spyware212345.ico
02/18/2005 11:15 AM 4,286 kill all spyware212412431.ico
03/09/2005 06:31 PM 4,286 kill all spyware2124124311.ico
02/08/2005 08:14 PM 4,286 kill all spyware32a1.ico
03/02/2005 08:35 PM 4,286 kill all spyware33a1.ico
03/05/2005 04:30 PM 3,262 kill all spyware4.ico
03/11/2005 10:40 PM 3,262 kill all spyware451.ico
12/09/2004 12:28 PM 3,262 kill evidence 3.ico
01/27/2005 09:48 PM 2,526 kill internet popups12.ico
11/11/2004 06:11 PM 4,286 kill internet popups51.ico
04/25/2005 11:10 PM 3,262 kill popups.ico
04/25/2005 11:10 PM 3,262 kill spyware1.ico
04/25/2005 11:10 PM 3,262 kill spyware12.ico
01/20/2005 08:15 PM 4,286 kill xp popups 331.ico
12/17/2004 02:26 PM 3,262 killallspyware00.ico
02/18/2005 11:15 AM 3,262 killinternetpops32121.ico
03/02/2005 08:36 PM 3,262 kspy1.ico
01/13/2005 04:03 PM 2,526 laptop41.ico
03/02/2005 08:35 PM 1,078 mac02.ico
03/23/2005 11:45 PM 4,286 moviescirc2.ico
10/28/2004 07:12 PM 4,286 moviesorange2.ico
03/02/2005 08:35 PM 4,286 moviesorangecirc1.ico
03/13/2005 11:08 AM 4,286 mp3 players4sale1.ico
03/23/2005 11:45 PM 4,286 mp3 players4salea.ico
03/09/2005 10:10 AM 4,286 mp3red51a.ico
05/11/2005 07:18 PM 4,286 mp3red51aads.ico
09/05/2005 03:25 PM 1,718 Open.ico
03/05/2005 04:30 PM 3,262 poker11212.ico
03/11/2005 10:40 PM 4,286 pop up blaster.ico
02/17/2005 10:28 PM 4,286 pop up blaster1.ico
09/04/2005 10:58 AM 4,286 pop up blaster1232131.ico
09/04/2005 10:58 AM 4,286 pop up blaster12321312.ico
01/11/2005 10:29 PM 16,614 popupblocker231.ico
05/11/2005 07:18 PM 16,614 popupblocker3.ico
05/11/2005 07:18 PM 16,614 popupblocker31.ico
01/23/2005 09:37 PM 4,286 popupkiller123123a.ico
04/14/2005 07:41 PM 3,262 popupkiller2asdf.ico
04/15/2005 12:25 AM 3,262 popupkiller2asdf1.ico
01/30/2005 02:12 PM 3,262 pp_red1221.ico
09/05/2005 03:25 PM 1,718 Quick.ico
04/01/2005 02:44 PM 2,238 red_kas1.ico
05/11/2005 07:18 PM 2,238 red_kas21.ico
09/04/2005 10:58 AM 3,262 ringtone21.ico
01/30/2005 02:12 PM 19,942 securefavorites.ico
09/04/2005 10:58 AM 3,262 sony psp1.ico
09/05/2005 03:25 PM 2,550 Uninstall.ico
01/29/2005 05:30 AM 4,286 usagold312.ico
03/02/2005 08:35 PM 3,262 usaplat1231231231.ico
12/12/2004 01:38 PM 4,286 usaplatinum.ico
01/15/2005 11:22 AM 4,286 usaplatinum12.ico
01/29/2005 05:30 AM 4,286 usaplatinum12342342341.ico
01/08/2005 01:17 PM 4,286 usaplatinum609.ico
11/22/2004 10:56 AM 4,286 usaplatinum61.ico
12/17/2004 02:26 PM 3,262 usplat151.ico
01/23/2005 09:37 PM 3,262 usplat15112.ico
05/11/2005 07:18 PM 3,262 vhe233a1.ico
04/25/2005 11:10 PM 19,942 virus hunter yeah1.ico
12/07/2004 02:11 PM 19,942 virushunter1.ico
03/05/2005 04:30 PM 19,942 virushunter1231.ico
01/30/2005 02:12 PM 19,942 virushunter231.ico
12/17/2004 02:26 PM 19,942 virushunter31.ico
09/04/2005 11:00 AM 19,942 virushunter4.ico
10/26/2004 05:08 PM 19,942 wmkiller2.ico
09/04/2005 10:58 AM 3,262 xboxab.ico
09/04/2005 10:58 AM 3,262 xboxab1.ico
12/17/2004 02:26 PM 3,262 xmas.ico
12/16/2004 12:07 PM 3,262 xox23_icon.ico
01/07/2005 03:40 PM 3,262 yuk or yum 41.ico
12/09/2004 12:28 PM 3,262 yuk or yum 7.ico
02/17/2005 10:28 PM 3,262 yuk or yum 7adsfas1.ico
12/07/2004 02:11 PM 3,262 yuk or yum.ico
01/23/2005 09:37 PM 5,182 yuk or yum1a.ico
124 File(s) 603,416 bytes
0 Dir(s) 34,333,200,384 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl

[hobie2]

MOre ?'s. Should I turn off system restore when I perform the repairs? Does system restore work in safe mode?

[greyknight17]

NO. Don't run System Restore...we usually don't ask users to do this unless it's absolutely necessary. So leave it alone. It might even be infected, so don't use it.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\Software\ and delete aurora

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Check and fix these in HijackThis:

O4 - HKLM\..\Run: [pdsnnkk] C:\WINDOWS\pdsnnkk.EXE
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMSystem\plugin.dll - unless you know what this is for, fix it
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe

Delete these if found:

C:\WINDOWS\RMAGEN~1.DLL
C:\WINDOWS\System32\2OG9BEUO.INI
C:\WINDOWS\System32\G7TQQ760.INI
C:\WINDOWS\System32\KKC8K2NF.INI
C:\WINDOWS\pdsnnkk.EXE
C:\Program Files\CMSystem\ - unless you know what this is for, delete it
C:\WINDOWS\system32\ssisvr32.exe

OK, it will take me a while to format this, so instead I want you to do this (since you will have to delete them anyway). Delete all the below files in green. They should be under the c:\windows\system32\ folder:

09/05/2005 03:25 PM 1,406 AddQuit.ico
03/20/2005 08:34 PM 2,998 bball.ico
01/27/2005 09:48 PM 2,526 bikini31.ico
04/22/2005 12:42 PM 3,262 bingo_big2.ico
09/04/2005 10:58 AM 3,262 bingo_big31.ico
09/04/2005 11:00 AM 3,262 bingo_big3123.ico
11/15/2004 04:27 PM 3,262 body2.ico
12/16/2004 12:07 PM 3,262 bubbles-ke2.ico
12/12/2004 01:38 PM 3,262 bubbles-ki.ico
01/22/2005 12:40 PM 2,526 bum.ico
11/04/2004 12:47 AM 2,238 celebslifestyle1.ico
03/15/2005 09:48 PM 3,262 conver radio 32x32-21.ico
12/17/2004 02:26 PM 3,262 creditcard321.ico
05/11/2005 07:18 PM 3,262 creditcard32123123123asdsa.ico
05/11/2005 07:18 PM 3,262 creditcard32123123123asdsa1.ico
09/04/2005 10:58 AM 3,262 creditcard32123123123asdsa12.ico
09/04/2005 11:00 AM 3,262 creditcard32123123123asdsa123.ico
01/11/2005 10:29 PM 4,286 datingpof1.ico
09/05/2005 03:25 PM 9,470 Desktop.ico
11/17/2004 08:55 PM 1,078 disk01.ico
03/23/2005 11:45 PM 3,262 eye41.ico
01/15/2005 11:22 AM 1,406 favicon(1)1.ico
12/12/2004 01:38 PM 4,286 greenmovie.ico
12/16/2004 12:07 PM 4,286 greenmovie2.ico
03/05/2005 04:30 PM 4,286 greenmovie2311.ico
03/06/2005 08:07 PM 4,286 greenmovie2313.ico
03/13/2005 11:08 AM 4,286 greenmovie2313asa.ico
04/06/2005 05:19 PM 4,286 greenmovie2313asaadsasfad.ico
05/11/2005 07:18 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
09/04/2005 11:00 AM 4,286 greenmovie2313asaadsasfad112341231adsfa1.ico
09/04/2005 10:58 AM 4,286 greenmovie2313asaadsasfad112341231adsfa123.ico
09/05/2005 03:25 PM 1,406 Help.ico
03/05/2005 04:30 PM 3,262 hotbod.ico
03/02/2005 08:35 PM 3,262 hotbod123121.ico
02/18/2005 11:15 AM 2,526 ibm laptop1.ico
03/05/2005 04:30 PM 2,526 ibm laptop21.ico
03/31/2005 12:38 AM 2,526 ibm laptop31.ico
03/05/2005 04:30 PM 3,262 ico_bikini49_gif_32x32.ico
09/05/2005 03:25 PM 5,350 IE.ico
12/09/2004 12:28 PM 4,286 internet popup blocker1.ico
03/07/2005 07:58 PM 3,262 kas pink1233.ico
03/23/2005 05:07 PM 3,262 kas pink1233a1.ico
04/14/2005 07:41 PM 3,262 kas pink1233aadsfa.ico
03/31/2005 12:38 AM 3,262 kas pink1233aadsfa1.ico
04/15/2005 12:25 AM 3,262 kas pink1233aadsfa12.ico
01/15/2005 11:22 AM 2,526 kas123123211.ico
02/27/2005 09:44 PM 3,262 kas4b.ico
03/15/2005 09:48 PM 3,262 kas4c1.ico
02/12/2005 11:25 AM 2,526 kasant1.ico
02/18/2005 11:15 AM 4,286 kevid231231.ico
04/07/2005 08:19 AM 4,286 kevid231231aa.ico
09/04/2005 11:00 AM 3,262 kill all spyware.ico
12/09/2004 12:28 PM 4,286 kill all spyware212345.ico
02/18/2005 11:15 AM 4,286 kill all spyware212412431.ico
03/09/2005 06:31 PM 4,286 kill all spyware2124124311.ico
02/08/2005 08:14 PM 4,286 kill all spyware32a1.ico
03/02/2005 08:35 PM 4,286 kill all spyware33a1.ico
03/05/2005 04:30 PM 3,262 kill all spyware4.ico
03/11/2005 10:40 PM 3,262 kill all spyware451.ico
12/09/2004 12:28 PM 3,262 kill evidence 3.ico
01/27/2005 09:48 PM 2,526 kill internet popups12.ico
11/11/2004 06:11 PM 4,286 kill internet popups51.ico
04/25/2005 11:10 PM 3,262 kill popups.ico
04/25/2005 11:10 PM 3,262 kill spyware1.ico
04/25/2005 11:10 PM 3,262 kill spyware12.ico
01/20/2005 08:15 PM 4,286 kill xp popups 331.ico
12/17/2004 02:26 PM 3,262 killallspyware00.ico
02/18/2005 11:15 AM 3,262 killinternetpops32121.ico
03/02/2005 08:36 PM 3,262 kspy1.ico
01/13/2005 04:03 PM 2,526 laptop41.ico
03/02/2005 08:35 PM 1,078 mac02.ico
03/23/2005 11:45 PM 4,286 moviescirc2.ico
10/28/2004 07:12 PM 4,286 moviesorange2.ico
03/02/2005 08:35 PM 4,286 moviesorangecirc1.ico
03/13/2005 11:08 AM 4,286 mp3 players4sale1.ico
03/23/2005 11:45 PM 4,286 mp3 players4salea.ico
03/09/2005 10:10 AM 4,286 mp3red51a.ico
05/11/2005 07:18 PM 4,286 mp3red51aads.ico
09/05/2005 03:25 PM 1,718 Open.ico
03/05/2005 04:30 PM 3,262 poker11212.ico
03/11/2005 10:40 PM 4,286 pop up blaster.ico
02/17/2005 10:28 PM 4,286 pop up blaster1.ico
09/04/2005 10:58 AM 4,286 pop up blaster1232131.ico
09/04/2005 10:58 AM 4,286 pop up blaster12321312.ico
01/11/2005 10:29 PM 16,614 popupblocker231.ico
05/11/2005 07:18 PM 16,614 popupblocker3.ico
05/11/2005 07:18 PM 16,614 popupblocker31.ico
01/23/2005 09:37 PM 4,286 popupkiller123123a.ico
04/14/2005 07:41 PM 3,262 popupkiller2asdf.ico
04/15/2005 12:25 AM 3,262 popupkiller2asdf1.ico
01/30/2005 02:12 PM 3,262 pp_red1221.ico
09/05/2005 03:25 PM 1,718 Quick.ico
04/01/2005 02:44 PM 2,238 red_kas1.ico
05/11/2005 07:18 PM 2,238 red_kas21.ico
09/04/2005 10:58 AM 3,262 ringtone21.ico
01/30/2005 02:12 PM 19,942 securefavorites.ico
09/04/2005 10:58 AM 3,262 sony psp1.ico
09/05/2005 03:25 PM 2,550 Uninstall.ico
01/29/2005 05:30 AM 4,286 usagold312.ico
03/02/2005 08:35 PM 3,262 usaplat1231231231.ico
12/12/2004 01:38 PM 4,286 usaplatinum.ico
01/15/2005 11:22 AM 4,286 usaplatinum12.ico
01/29/2005 05:30 AM 4,286 usaplatinum12342342341.ico
01/08/2005 01:17 PM 4,286 usaplatinum609.ico
11/22/2004 10:56 AM 4,286 usaplatinum61.ico
12/17/2004 02:26 PM 3,262 usplat151.ico
01/23/2005 09:37 PM 3,262 usplat15112.ico
05/11/2005 07:18 PM 3,262 vhe233a1.ico
04/25/2005 11:10 PM 19,942 virus hunter yeah1.ico
12/07/2004 02:11 PM 19,942 virushunter1.ico
03/05/2005 04:30 PM 19,942 virushunter1231.ico
01/30/2005 02:12 PM 19,942 virushunter231.ico
12/17/2004 02:26 PM 19,942 virushunter31.ico
09/04/2005 11:00 AM 19,942 virushunter4.ico
10/26/2004 05:08 PM 19,942 wmkiller2.ico
09/04/2005 10:58 AM 3,262 xboxab.ico
09/04/2005 10:58 AM 3,262 xboxab1.ico
12/17/2004 02:26 PM 3,262 xmas.ico
12/16/2004 12:07 PM 3,262 xox23_icon.ico
01/07/2005 03:40 PM 3,262 yuk or yum 41.ico
12/09/2004 12:28 PM 3,262 yuk or yum 7.ico
02/17/2005 10:28 PM 3,262 yuk or yum 7adsfas1.ico
12/07/2004 02:11 PM 3,262 yuk or yum.ico
01/23/2005 09:37 PM 5,182 yuk or yum1a.ico

Restart and post a new HijackThis log.

[hobie2]

Here is the latest Hijackthis log:

I did not delete O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
as the laptop has an icon for a piece of software named SecureExam Student 3.15 which runs ssi_student.exe. The program is from SoftwareSecure and is intended to prevent cheating when taking an exam using Word or Excell as it lock out access to all other files. I won't see the owner until Sunday and I'll find out if she still uses this in law school and remove it if she doesn't.

Logfile of HijackThis v1.99.1
Scan saved at 11:47:48 PM, on 9/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ssisvr32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Miriam\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1125873050593
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125899053218
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Software Secure Service (SSISvr32) - SoftwareSecure Inc - C:\WINDOWS\system32\ssisvr32.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

[greyknight17]

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.

[hobie2]

I can boot to normal mode and everything seems to run ok. However, When I install XP sp2 the computer will not boot into normal mode, only safe mode. Iv'e installed xp sp2 from both the updatewebsite, then removed it and from a CD. Sme results both times. I see a blue scren with text flash before the boot screen with the various otions comes up. Is there a log file that would have error info in it? This is a Compaq Presario R3000 laptop with an AMD 64processor, 800 Mhz, 512 of ram.

[greyknight17]

I think there is a error log file somewhere, but I'm not exactly sure there. This is probably best asked in the Windows Forum, but just to make sure nothing else is still there:

Boot into Safe Mode and run Ewido scan again. Restart. Post the log here. Run FindIt's and post that log here as well.

Download the Windows Memory Diagnostic Tool and install it on a blank floppy disk. Restart your computer and insert the floppy. If necessary, change your bios to boot from the floppy drive first. Let it load from the floppy and run the memory test for about 15 minutes. If no errors show up, you may exit the program and take out the floppy.

[hobie2]

The laptop does not have a floppy drive for me to use the memory test disk. I can boot into safe modes, just not normal unless I uninstall XP sp2

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:40:27 PM, 9/17/2005
+ Report-Checksum: 6E09579

+ Scan result:

C:\Program Files\Securexam Student\ssi_student.exe -> Heuristic.Win32.AVKiller : Ignored


::Report End
++++++++++

Findit log

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 09/17/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 44B0-3C2E

Directory of C:\WINDOWS\SYSTEM32

04/06/2005 05:19 PM <DIR> cache32_rtneg2
09/04/2005 10:58 AM <DIR> cache32_rtneg4
0 File(s) 0 bytes
2 Dir(s) 33,756,082,176 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 44B0-3C2E

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».

[greyknight17]

Delete these folders:

C:\WINDOWS\SYSTEM32\cache32_rtneg2
C:\WINDOWS\SYSTEM32\cache32_rtneg4

Burn the Windows memory test program on a CD and boot from that instead. Probably not related though, but run the test to see if it finds anything.

Try reinstalling SP2 if anything. Or ask this in the Windows Forum to see if anyone has a solution to this.

[hobie2]

Thank you for your help in solving the malware issues, the laptop runs great. Still can not get SP2 to boot normally so will have to run on SP1a until the laptop comes home for a break. Then we can back it up and try an XP repair with a slipstreamed SP2 disk. Thanks again for the great help!

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.