Hi, did everything you said, on the following step 8, only
found one file the Log file.
Delete the following file(s) and folder(s) in BOLD only, if found (please do NOT try to find them by "search" because they will not show up that way)
C:\windows\system32\vboemkf.exe <<<=Delete This File
C:\Program Files\Search Maid <<<= Delete This Folder
C:\Program Files\Virtual Maid <<<= Delete This Folder
C:\Windows\System32\Log Files <<<= Delete This Folder
C:\Program Files\Security IGuard <<<= Delete This Folder
The wallpaper screen is different now, it is red with a flashing
Danger Spyware letters.
Here is the Panda scan results=
Incident Status Location
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\cache32_rtneg?
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/Sqwire No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/IEPlugin No disinfected Windows Registry
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/Searchforit No disinfected C:\Program Files\sf
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free Cell Phone.ico
Adware:Adware/SearchTheWeb No disinfected C:\WINDOWS\system32\Cache\mswinstall.exe
Adware:Adware/Weirdontheweb No disinfected C:\Program Files\WeirdOnTheWeb
Adware:Adware/SearchTheWeb No disinfected C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\G1OHABC1\555[1].ani
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\G1OHABC1\555[2].ani
Virus:Exploit/MIE.CHM No disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\G1OHABC1\files[1].htm
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\JI4NR14P\555[1].ani
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\JI4NR14P\555[2].ani
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\JI4NR14P\555[3].ani
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\ZEJ1HZSJ\sploit[1].anr
Virus:Exploit/HHelp Disinfected C:\Documents and Settings\bart\Local Settings\Temporary Internet Files\Content.IE5\ZEJ1HZSJ\start[1].htm.tcf
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22f52d1d-5cf191d2.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22f52d1d-5cf191d2.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22f52d1d-5cf191d2.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-22f52d1d-5cf191d2.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-44b6075e.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-44b6075e.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-44b6075e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-44b6075e.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-513e81c6-37a9f519.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-513e81c6-37a9f519.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-513e81c6-37a9f519.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-513e81c6-37a9f519.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-73e9be26-3a80c757.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-73e9be26-3a80c757.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-73e9be26-3a80c757.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-73e9be26-3a80c757.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-4821afbb.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-4821afbb.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-4821afbb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-96d30d8-4821afbb.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2b28bb1c-5d297b13.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2b28bb1c-5d297b13.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2b28bb1c-5d297b13.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-2b28bb1c-5d297b13.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-4158d47b.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-4158d47b.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-4158d47b.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-655c56ee-4158d47b.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-13236e11.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-13236e11.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-13236e11.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-13236e11.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv175.jar-1417a033-4f18c23f.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv175.jar-1417a033-4f18c23f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv175.jar-1417a033-4f18c23f.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Peter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv175.jar-1417a033-4f18c23f.zip[Parser.class]
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\wuiq\wuiqd\wuiqc.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\gbcohj.exe
Adware:Adware/Mirar No disinfected C:\WINDOWS\system32\Cache\876004.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\Cache\InstallAPS.exe
Adware:Adware/SearchTheWeb No disinfected C:\WINDOWS\system32\Cache\mswinstall.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\Cache\Pop1.exe
Adware:Adware/TopRebates No disinfected C:\WINDOWS\system32\Cache\WebRebates_Auto_InstallSilent.exe.tcf
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\Cache\wrapperouter.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free Cell Phone.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free LapTop Computer.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free Ringtones!.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free Sony Playstation.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\Free U2 iPod.ico
Virus:Trj/Agent.SA Disinfected C:\WINDOWS\system32\msvcrta.dll
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINDOWS\system32\NBA Giveaway.ico
Adware:Adware/Searchforit No disinfected C:\WINDOWS\system32\SYSsfitb.dll.tcf
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/Mirar No disinfected C:\WINDOWS\system32\WinNB57.dll
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.008
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.bin
-----------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:29:18 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Peter\Desktop\hijackthis\HijackThis.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe