[FrenchKitty]

I had to re install my pc and when i installed my programs again I had a very slow internet connection so I couldnt download any Anti-virus program. So during this moment something slipped into my system. Its some "anti virus program" : PS Guard. It also causes annoying pop-ups with sometimes [bleep] stuff on it . I ran MS anti-spyware and Ad-Aware but everytime they delete it, it always comes back after a couple of monments. Please help me to get rid of it.
here is my htlog:


Logfile of HijackThis v1.99.1
Scan saved at 1:14:03, on 1/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mssearchnet.exe
C:\WINDOWS\System32\nvctrl.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Yasmine Simillion\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\System32\hp7280.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: style2 - C:\WINDOWS\q7434718.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Edited by FrenchKitty, 30 September 2005 - 05:14 PM.

[Advertisements]

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[didom]

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log and the Ewido Log by using Add Reply.
Let us know if any problems persist.

[FrenchKitty]

I did everything u asked. Everything seems alright now, but when I rebooted in Windows I got that "PS guard scanner" window that "scans infected files". Ive got that window the last few days I started my PC. But I dont have any pop-ups anymore and the PS guard icons next to the clock are gone. here are the logs:

Panda log:

Incident Status Location

Adware:adware/securityerror No disinfected C:\Documents and Settings\All Users\Menu Start\Online Security Center.url
Adware:adware/securityerror No disinfected C:\WINDOWS\SYSTEM32\ot.ico
Adware:adware/psguard No disinfected C:\Documents and Settings\Yasmine Simillion\Application Data\PSGuard.com
Dialer:Dialer.DDL No disinfected C:\WINDOWS\system32\1024\ld61D0.tmp

Smitfiles:


smitRem log file
version 2.5

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed!


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

PSGuard.com


~~~ Favorites ~~~



~~~ system32 folder ~~~

msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
oleext.dll
hp***.tmp


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! ~~~~

Ewido Log:


---------------------------------------------------------
ewido security suite - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 19:26:53, 2/10/2005
+ Rapport samenvatting: D364E356

+ Scan resultaten:

HKLM\SOFTWARE\PSGuard.com -> Spyware.PSGuard : Fout gedurende het schoonmake
HKLM\SOFTWARE\PSGuard.com\PSGuard -> Spyware.PSGuard : Fout gedurende het schoonmake
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard -> Spyware.PSGuard : Fout gedurende het schoonmake
HKLM\SOFTWARE\PSGuard.com\PSGuard\P.S.Guard\License -> Spyware.PSGuard : Schoongemaakt met een backup
[260] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Schoongemaakt met een backup
[504] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Fout gedurende het schoonmake
[1424] C:\WINDOWS\System32\OLEEXT.dll -> Trojan.Agent.ff : Fout gedurende het schoonmake
:mozilla.11:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.12:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.14:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.21:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.22:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.30:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Atdmt : Schoongemaakt met een backup
:mozilla.36:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Doubleclick : Schoongemaakt met een backup
:mozilla.51:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Schoongemaakt met een backup
:mozilla.52:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Addynamix : Schoongemaakt met een backup
:mozilla.53:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Addynamix : Schoongemaakt met een backup
:mozilla.65:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.66:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.67:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.86:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Centrport : Schoongemaakt met een backup
:mozilla.87:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Centrport : Schoongemaakt met een backup
:mozilla.100:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Pointroll : Schoongemaakt met een backup
:mozilla.101:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Pointroll : Schoongemaakt met een backup
:mozilla.102:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Pointroll : Schoongemaakt met een backup
:mozilla.103:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Pointroll : Schoongemaakt met een backup
:mozilla.104:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Masterstats : Schoongemaakt met een backup
:mozilla.108:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.109:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.110:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.111:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.114:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
:mozilla.115:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
:mozilla.116:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
:mozilla.117:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
:mozilla.118:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
:mozilla.119:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
:mozilla.120:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
:mozilla.121:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Advertising : Schoongemaakt met een backup
:mozilla.128:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
:mozilla.129:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
:mozilla.130:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
:mozilla.131:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
:mozilla.132:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
:mozilla.133:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Casalemedia : Schoongemaakt met een backup
:mozilla.134:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
:mozilla.135:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
:mozilla.136:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
:mozilla.137:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
:mozilla.138:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Statcounter : Schoongemaakt met een backup
:mozilla.166:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Adtech : Schoongemaakt met een backup
:mozilla.167:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Adtech : Schoongemaakt met een backup
:mozilla.172:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Mediaplex : Schoongemaakt met een backup
:mozilla.174:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
:mozilla.175:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
:mozilla.176:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
:mozilla.177:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
:mozilla.178:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Serving-sys : Schoongemaakt met een backup
:mozilla.179:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Fastclick : Schoongemaakt met een backup
:mozilla.180:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Fastclick : Schoongemaakt met een backup
:mozilla.216:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Specificclick : Schoongemaakt met een backup
:mozilla.217:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Specificclick : Schoongemaakt met een backup
:mozilla.218:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Questionmarket : Schoongemaakt met een backup
:mozilla.219:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Ru4 : Schoongemaakt met een backup
:mozilla.220:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Ru4 : Schoongemaakt met een backup
:mozilla.224:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Bluestreak : Schoongemaakt met een backup
:mozilla.246:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.247:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.249:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Bfast : Schoongemaakt met een backup
:mozilla.269:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.277:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Linkbuddies : Schoongemaakt met een backup
:mozilla.278:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Burstnet : Schoongemaakt met een backup
:mozilla.279:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Burstnet : Schoongemaakt met een backup
:mozilla.280:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Valueclick : Schoongemaakt met een backup
:mozilla.281:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Valueclick : Schoongemaakt met een backup
:mozilla.282:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Valueclick : Schoongemaakt met een backup
:mozilla.285:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
:mozilla.286:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
:mozilla.287:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
:mozilla.288:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
:mozilla.289:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
:mozilla.303:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Schoongemaakt met een backup
:mozilla.304:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Schoongemaakt met een backup
:mozilla.307:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
:mozilla.312:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sexcounter : Schoongemaakt met een backup
:mozilla.313:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sexcounter : Schoongemaakt met een backup
:mozilla.314:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sexcounter : Schoongemaakt met een backup
:mozilla.315:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sexcounter : Schoongemaakt met een backup
:mozilla.316:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sexcounter : Schoongemaakt met een backup
:mozilla.317:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sexcounter : Schoongemaakt met een backup
:mozilla.318:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sexcounter : Schoongemaakt met een backup
:mozilla.319:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sexcounter : Schoongemaakt met een backup
:mozilla.320:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.321:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.322:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Falkag : Schoongemaakt met een backup
:mozilla.323:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sexlist : Schoongemaakt met een backup
:mozilla.335:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.336:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.343:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.351:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
:mozilla.352:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
:mozilla.354:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.2o7 : Schoongemaakt met een backup
:mozilla.400:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Doubleclick : Schoongemaakt met een backup
:mozilla.405:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.406:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.411:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.412:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Hitbox : Schoongemaakt met een backup
:mozilla.428:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
:mozilla.429:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
:mozilla.449:C:\Documents and Settings\Yasmine Simillion\Application Data\Mozilla\Firefox\Profiles\xpd8yigd.default\cookies.txt -> Spyware.Cookie.Sitestat : Schoongemaakt met een backup
C:\Documents and Settings\Yasmine Simillion\Cookies\yasmine [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Schoongemaakt met een backup
C:\Documents and Settings\Yasmine Simillion\Cookies\yasmine [email protected][1].txt -> Spyware.Cookie.Clickhype : Schoongemaakt met een backup
C:\Documents and Settings\Yasmine Simillion\Cookies\yasmine simillion@com[2].txt -> Spyware.Cookie.Com : Schoongemaakt met een backup
C:\WINDOWS\system32\1024\ld7029.tmp -> Dialer.Generic : Schoongemaakt met een backup
C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev : Schoongemaakt met een backup


::Einde rapport


Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 20:40:04, on 2/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Yasmine Simillion\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: style2 - C:\WINDOWS\q7434718.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[didom]

Download win32delfkil.exe: http://users.telenet...in32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically and after the reboot the infection should be killed.
If you are using windows 2000, it is possible that you will have to restart the computer manually. If so, a message will appear.

After the reboot please post a fresh HijackThis log

[FrenchKitty]

here:

Logfile of HijackThis v1.99.1
Scan saved at 21:07:10, on 2/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Yasmine Simillion\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[didom]

Make sure all hidden files and folders are visible (Instructions )
Reboot your computer into safe mode (Instructions)

Find and delete these files (if they are still there):
C:\Documents and Settings\All Users\Menu Start\Online Security Center.url
C:\WINDOWS\SYSTEM32\ot.ico
C:\Documents and Settings\Yasmine Simillion\Application Data\PSGuard.com
C:\WINDOWS\system32\1024\ld61D0.tmp

Reboot your computer back into normal mode.

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it along with a new HijackThis Log in your next reply.

Let me know if any problems persist.

[FrenchKitty]

I'm sorry it took so long for me to reply but I had *again* problems with my internetconnection. I did everything u asked but I didnt find those files. I dont get it because they appear when I run Ewido
here are the logs

Panda:

Incident Status Location

Adware:adware/securityerror No disinfected C:\WINDOWS\SYSTEM32\ts.ico
Adware:adware/psguard No disinfected Windows Registry


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 0:02:21, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Yasmine Simillion\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

[didom]

You need to run Smitrem again because it's updated a few days ago!

First delete the (old) Smitrem folder.

Then download smitRem.exe (again!) and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Scan again with HijackThis and check the following items:

O4 - HKLM\..\Run: [P.S.Guard] C:\Program Files\P.S.Guard\PSGuard.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Make sure all hidden files and folders are visible (Instructions )

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Find and delete this file:
C:\WINDOWS\SYSTEM32\ts.ico

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan.
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt (C:\smitfiles.txt) log and the Ewido Log by using Add Reply.
Let us know if any problems persist.