[silverfalcon]

hey I have this adware that i got yesterday and looking around i can't seem to find what is causing it, i tried a few things but ended up with no help, Any help would be great because i am lost
thanks

Logfile of HijackThis v1.99.1
Scan saved at 1:02:40 PM, on 11/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser mouse\1.2\mouse32a.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Pop up Blocker\pd.exe
C:\hjt\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

O4 - HKLM\..\Run: [FLMBROWSERMOUSE] C:\Program Files\Browser mouse\1.2\mouse32a.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PD - {CFA68635-9AE4-4D4D-B9A7-F2F11447CD2C} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\enl6l13s1.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe

[Advertisements]

Hi silverfalcon and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.



Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link under to "SpySweeper" to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

Please post a fresh Hjt lof for review.

Regards,

Trevuren

[Trevuren]

Hi silverfalcon and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.



Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link under to "SpySweeper" to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

Please post a fresh Hjt lof for review.

Regards,

Trevuren

[silverfalcon]

Logfile of HijackThis v1.99.1
Scan saved at 8:48:47 PM, on 11/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Browser mouse\1.2\mouse32a.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [FLMBROWSERMOUSE] C:\Program Files\Browser mouse\1.2\mouse32a.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PD - {CFA68635-9AE4-4D4D-B9A7-F2F11447CD2C} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



********
7:59 PM: | Start of Session, Sunday, November 20, 2005 |
7:59 PM: Spy Sweeper started
7:59 PM: Sweep initiated using definitions version 574
8:00 PM: Starting Memory Sweep
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: Found Adware: icannnews
8:01 PM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
8:01 PM: Detected running threat: C:\WINDOWS\system32\enl6l13s1.dll (ID = 83)
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:02 PM: Detected running threat: C:\WINDOWS\system32\mpcsubs.dll (ID = 83)
8:02 PM: Memory Sweep Complete, Elapsed Time: 00:02:49
8:02 PM: Starting Registry Sweep
8:03 PM: Found Adware: dialerplatform
8:03 PM: HKLM\software\ptssa\ (2 subtraces) (ID = 125166)
8:03 PM: Found Adware: purityscan
8:03 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
8:03 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
8:03 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
8:03 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
8:03 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
8:03 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
8:03 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137986)
8:03 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
8:03 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
8:03 PM: Found Trojan Horse: trojan-backdoor-5sec
8:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {0656a137-b161-cadd-9777-e37a75727e78} (ID = 144013)
8:03 PM: Found Trojan Horse: trojan-downloader-chup
8:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {0211c4d9-bc71-8916-38ad-9dea5d213614} (ID = 144455)
8:03 PM: Found Trojan Horse: trojan-downloader-procounter.biz
8:03 PM: HKLM\system\currentcontrolset\services\moto\ || imagepath (ID = 383423)
8:03 PM: Found Trojan Horse: trojan-backdoor-zubox
8:03 PM: HKCR\acpi.acpi.1\ (3 subtraces) (ID = 484081)
8:03 PM: HKCR\acpi.acpi.1\clsid\ (1 subtraces) (ID = 484083)
8:03 PM: HKCR\acpi.ext\ (5 subtraces) (ID = 484085)
8:03 PM: HKCR\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484093)
8:03 PM: HKCR\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484124)
8:03 PM: HKLM\software\classes\acpi.acpi.1\ (3 subtraces) (ID = 484140)
8:03 PM: HKLM\software\classes\acpi.ext\ (5 subtraces) (ID = 484144)
8:03 PM: HKLM\software\classes\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484152)
8:03 PM: HKLM\software\classes\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484210)
8:03 PM: Found Adware: mirinda
8:03 PM: HKCR\clsid\{7a1693a1-afaf-4f1e-9b05-eec38a85fbf3}\ (4 subtraces) (ID = 501125)
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\ || c:\windows\tool1.exe (ID = 890587)
8:03 PM: Found Adware: spysheriff
8:03 PM: HKU\WRSS_Profile_S-1-5-21-2000478354-1532298954-682003330-500\software\spysheriff\ (ID = 142125)
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\classes\clsid\{0211c4d9-bc71-8916-38ad-9dea5d213614}\ (3 subtraces) (ID = 144454)
8:03 PM: Found Trojan Horse: trojan-downloader-moneymind
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\xjado\ (1 subtraces) (ID = 144725)
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\mzs\mdms\ (4 subtraces) (ID = 480808)
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\mzs\mdms\mzu\ || pt (ID = 656825)
8:03 PM: Registry Sweep Complete, Elapsed Time:00:00:28
8:03 PM: Starting Cookie Sweep
8:03 PM: Found Spy Cookie: yieldmanager cookie
8:03 PM: titanium [email protected][2].txt (ID = 3751)
8:03 PM: Found Spy Cookie: adecn cookie
8:03 PM: titanium phoenix@adecn[1].txt (ID = 2063)
8:03 PM: Found Spy Cookie: adknowledge cookie
8:03 PM: titanium phoenix@adknowledge[2].txt (ID = 2072)
8:03 PM: Found Spy Cookie: hbmediapro cookie
8:03 PM: titanium [email protected][2].txt (ID = 2768)
8:03 PM: Found Spy Cookie: specificclick.com cookie
8:03 PM: titanium [email protected][1].txt (ID = 3400)
8:03 PM: Found Spy Cookie: addynamix cookie
8:03 PM: titanium [email protected][1].txt (ID = 2062)
8:03 PM: Found Spy Cookie: ask cookie
8:03 PM: titanium phoenix@ask[1].txt (ID = 2245)
8:03 PM: Found Spy Cookie: azjmp cookie
8:03 PM: titanium phoenix@azjmp[2].txt (ID = 2270)

[Trevuren]

Excellent result

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

• First we need to make all files and folders VISIBLE:
  
  • Go to start>control panel>folder options>view (tab)
  • Choose to "show hidden files and folders,"
  • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with ok
• Please RUN HijackThis.
  . Click the SCAN button to produce a log.
  
  
• Place a check mark beside each one of the following items:
  
  O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
  
  
• Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
  
  
• Reboot Your System in Safe Mode
  
  How to use the F8 method to Start Your Computer in Safe Mode
  
  
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
• Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):
  
  C:\Program Files\Winamp\winampa.exe<==Only this file
  
  
• Exit Explorer, and REBOOT BACK INTO NORMAL MODE
  
  
• Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

NOTE: Please tell me how your system is running. Any more popups?

Regards,

Trevuren

[silverfalcon]

Logfile of HijackThis v1.99.1
Scan saved at 9:26:09 PM, on 11/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser mouse\1.2\mouse32a.exe
C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Pop up Blocker\pd.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Winamp\winamp.exe
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [FLMBROWSERMOUSE] C:\Program Files\Browser mouse\1.2\mouse32a.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PD - {CFA68635-9AE4-4D4D-B9A7-F2F11447CD2C} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[Trevuren]

Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren

[silverfalcon]

seems ok now

[Trevuren]

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:

• Click Start. Open My Computer.
• Select the Tools menu and click Folder Options. Select the View Tab.
  
• Under the Hidden files and folders heading deselect "Show hidden files and folders".
• Check the "Hide protected operating system files (recommended)" option.
• Click Yes to confirm. Click OK.

2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE

• Right-click "My Computer", and then left click "Properties".
• Left click on "System Restore Tab"
• Check box beside "Turn Off System Restore"
• Left click on "Apply"

TO ENABLE SYSTEM RESTORE

• Remove check mark from "Turn Off System Restore"
• Click on "Apply"

3.Preventitive measures:

Please read and follow the following advice by TonyKlein on how to reduce the potential for spyware infection in the future:

How Did I Get Infected in the First Place


Regards,

Trevuren

[Trevuren]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.