Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

SpyAxe 3.0 infected computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

SpyAxe 3.0 infected computer

Unread postby mar76vette » November 29th, 2005, 3:09 pm

I recently got infected with SypAxe 3.0, a Security toolbar, and possibly some other adware programs. I ran my Norton AntiVirus and found a dialer EXE program (gdnUS2218[1].exe) and deleted it. I also ran SpyBot Search and Destroy 1.4 with detection updates of 11/25/2005 and got rid of a bunch of registy items. I would appreciate any help you can offer. Here is my HijackThis log.


Logfile of HijackThis v1.99.1
Scan saved at 2:09:01 PM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp666C.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscan ... canner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... st0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2 ... sSetup.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/243be0b083e ... xIE601.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8994039240
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/ ... Client.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?315
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
mar76vette
Active Member
 
Posts: 3
Joined: November 28th, 2005, 9:10 pm
Advertisement
Register to Remove

Unread postby Piney » November 29th, 2005, 8:42 pm

Hello mar76vette and welcome to the Malware Removal forum :)

I am reviewing your log, and will be back with some directions to help you get your computer cleaned up.

I am a still in training, so I will have a mentor review my post back to you before I make it.

if you've not done so, click on the Watch this topic for replies line at the bottom of this page. That will let you know when I've responded.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby Piney » December 1st, 2005, 10:04 am

Hello again, mar76vette

I need for you to download some programs. Do not use them until directed to do so.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes.
There should not be any opened browsers when you are carrying out the procedures below.
You will want to copy out these instructions and save them to notepad as you will not have internet connection during the fix.
Save the notepad to your desktop where you can find it.


Go to: http://download.ewido.net/ewido-setup.exe
" Install Ewido Security Suite
" When installing, under "Additional Options" uncheck..
o Install background guard
o Install scan via context menu
" Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
" On the left hand side of the main screen click update.
" Then click on Start Update.
The update will start and a progress bar will show the updates being installed.

If you are having problems with the updater, you can use this link to manually update Ewido
http://www.ewido.net/en/download/updates/
When you have finished updating, EXIT Ewido.


Go to: here to download smitRem.exe.
Extract it to it's own folder on your desktop (Right-click on an empty space on your desktop, choose New...Folder. Name it smitRem.


Please download SpyAxeFix © noahdfear.
Save it to your desktop. Close all other programs and windows. Double click SpyAxeFix.exe, then click Start to extract the tool to it's own folder.


Start up your computer, after the first 'beep' begin tapping on the F8 key. A black menu page will appear.
Use your arrow keys to choose Safe Mode (without networking!)
Click on the Enter key.
Your desktop will appear, although it will be very distorted. The words Safe Mode will be in each corner of the desktop.

We need to open up hidden files and folders. Click Start>>>>Control Panel>>>>Folder Options and double click.
Under the View tab scroll down to Hidden Files and Folders
Check Show hidden files and folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended} Answer Yes
Click Apply and click OK

To make scanning easier and quicker, let's get rid of some temp files.
Click Start>>>>Run and type in the box: cleanmgr.exe click OK
Let the application scan your computer, then make sure these 3 are checkmarked:
Temporary Files
Temporary Internet Files
Recycle Bin

click OK and when finished, close the application.


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
Click Scanner
Click Complete System Scan to begin scanning.
Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
"Perform action on all infections"
Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop.


Now open the smitRem folder, double-click on the the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed.
Please post that log along with all others requested in your next reply.

Open HJT and scan. Place a check/tick next to these items (if present):
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://riviera.cc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://riviera.cc (obfuscated)
O2 - BHO: HomepageBHO - {7caf96a2-c556-460a-988e-76fc7895d284} - C:\WINDOWS\system32\hp666C.tmp <<< NOTE: This may have changed numbers/letters each time you reboot.
O4 - HKLM\..\Run: [SpyAxe] C:\Program Files\SpyAxe\spyaxe.exe /h
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/243be0b083e ... xIE601.cab


It may be helpful to know that when you put an item in your Trusted Zone, it has pretty much full access to your computer... Are you sure you trust this site to that degree?? If you're not sure, and/or you do not need these in your trusted zone to facilitate access, or you did not knowingly permit this access yourself, then please fix the following O15 entries:
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

With everything closed (Nothing open) except HijackThis, click on the Fix Checked button. Close HJT.


On your keyboard, click on the Windows key and the E key to bring up your Windows Explorer
Click to expand the C:/ drive, navigate to and delete the following files/folders:
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\hp666C.tmp <<<< NOTE: this may have changed names. Look in the System32 Folder for any hpxxx.tmp files and delete them all.
C:\Program Files\SpyAxe

While you still have your Windows Explorer open, scroll through the C:\Windows to the Prefetch folder. Open the folder and delete all the contents.
Do not delete the folder, just the contents of the Prefetch folder. Close Windows Explorer.
Empty your recycle bin.


Open the SpyAxeFix folder and double click the SpyAxeFix.bat to start the tool.
At one point when the tool runs, your taskbar will disappear, and your computer will restart when the tool completes.
A text file will be created in the SpyAxeFix folder. Post the contents of it in your next reply.

After the reboot, on a clear spot on your desktop, right-click and choose Properties
Under the Desktop tab, click on Customize Desktop
Click on Web tab and uncheck/delete Security Info if present
Click OK
Click Apply and then click OK


Reboot normally. Do an online scan at: Trend Housecalls Virus Scan
Let it clean, disinfect, quarantine any items found.

Open HJT, scan, and save the report.
Paste the Ewido log, the smitfiles.text, the SpyAxeFix log and the new HJT log to this thread. It may take more than one post to get them all pasted.
I'll be watching for your reply.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby mar76vette » December 2nd, 2005, 2:53 am

Hi Piney,

Thank you for all of your help. I think my computer is now clean. I still have some reference to a Security toolbar, but I do not think it is anything. I do have a question about my HJT log. I have three items that show (file missing), do you know what this is? Please see below:

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)


I am also attaching all of the log files you asked to see. Thank you again for all of your help.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:31:28 PM, 12/1/2005
+ Report-Checksum: 26B749E1

+ Scan result:

C:\Documents and Settings\Marland\Cookies\marland@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter1.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter12.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter13.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter14.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter15.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter16.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter2.hitslink[2].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter2.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter3.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter5.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter6.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter7.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@counter8.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@ehg-chrysler.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@ehg-comcast.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@ehg-coresenseinc.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@ehg-golfsmith.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@ehg-kohls.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@ehg-melbourneit.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@ehg-zoomerang.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@northwestairlines.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@sexlist[2].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@stats3.porntrack[2].txt -> Spyware.Cookie.Porntrack : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@twci.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\Marland\Cookies\marland@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Marland 2\Cookies\marland 2@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Marland 2\Cookies\marland 2@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Marland 2\Cookies\marland 2@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Marland 2\Cookies\marland 2@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@adorigin[2].txt -> Spyware.Cookie.Adorigin : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@ads.specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@adserv.internetfuel[1].txt -> Spyware.Cookie.Internetfuel : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@cz7.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@hestia.sextrail.trakkerd[2].txt -> Spyware.Cookie.Trakkerd : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@hotlog[1].txt -> Spyware.Cookie.Hotlog : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@www.hightrafficads[1].txt -> Spyware.Cookie.Hightrafficads : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@xxxcounter[2].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\mar2\Cookies\mar2@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\terry\Cookies\.@excite[1].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\terry\Cookies\.@preferences[1].txt -> Spyware.Cookie.Preferences : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\terry\Cookies\.mfoutz@excite[1].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\terry\Cookies\.mfoutz@preferences[1].txt -> Spyware.Cookie.Preferences : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\terry\Cookies\anyuser@excite[2].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Mar II\Old Hard Drive Stuff\WINDOWS\Profiles\terry\Cookies\anyuser@preferences[1].txt -> Spyware.Cookie.Preferences : Cleaned with backup
C:\RECYCLER\NPROTECT\00509329.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00509330.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00509331.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00509336.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509337.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509338.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509339.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509340.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509341.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509342.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509343.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509344.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509345.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509346.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509347.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509348.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509349.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509350.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509351.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509352.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509354.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509355.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509356.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509357.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509358.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509359.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509360.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509624.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00509625.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00509626.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00509631.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509632.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509633.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509634.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509636.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509637.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509638.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509639.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509640.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509641.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509642.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00509643.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00510091.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLER\NPROTECT\00511137.EXE -> Downloader.Small.ayl : Cleaned with backup
C:\RECYCLER\NPROTECT\00511356.EXE -> Downloader.Small.ayl : Cleaned with backup


::Report End


smitRem © log file
version 2.7

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 12/01/2005
The current time is: 22:35:08.22

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~

Security Toolbar


~~~ Shortcuts ~~~

Online Security Center.url


~~~ Favorites ~~~

Free XXX Sites List.url
Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
mscornet.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)

SpyAxeFix © by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 12/01/2005
The current time is: 23:02:56.18




Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 828 'explorer.exe'
Killing PID 828 'explorer.exe'
Killing PID 828 'explorer.exe'


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

svchosts.dll present

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

Logfile of HijackThis v1.99.1
Scan saved at 1:32:35 AM, on 12/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscan ... canner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... st0401.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1408.g.akamai.net/7/1408/9955/2 ... sSetup.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8994039240
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/ ... Client.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?315
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
mar76vette
Active Member
 
Posts: 3
Joined: November 28th, 2005, 9:10 pm

Unread postby Piney » December 2nd, 2005, 3:22 am

Thank you for the logs :D
I'll be back with information and a couple more things to do.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby mar76vette » December 2nd, 2005, 4:20 am

Hi Piney,

Thanks for checking out my log files. I just wanted to let you that I checked out my Add/Remove programs and I still have Security toolbar and SpyAxe in there. I think that I can just hit change/remove and then Windows will delete the items, but I'm not sure. Please advise. Thanks.
mar76vette
Active Member
 
Posts: 3
Joined: November 28th, 2005, 9:10 pm

Unread postby Piney » December 2nd, 2005, 5:59 am

Well, fudge sundae! Can you believe it, most of the yuck is gone!

You are very observant:
. I do have a question about my HJT log. I have three items that show (file missing), do you know what this is? Please see below:

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)

As you can see, the first two are for your Nortons/Symantec programs. If you disabled or uninstalled the Norton tool bar, then we can fix those two items with HJT.


The last one (SecurityToolbar) wasn't showing in your first log.
We'll take care of it in a moment.

I would like for you to boot into Safe Mode by tapping on your F8 key as your computer boots up.
Choose Safe Mode (without networking!) and click the Enter key on your keyboard.

Go into the Control Panel, Add/Remove Programs. Find, highlight and uninstall/remove:
Security Toolbar
SpyAxe
You will be prompted to reboot, choose No.

Open HijackThis, scan and put a checkmark/tick beside these:
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)

Don't fix the two above, UNLESS you disabled or uninstalled the toolbar functions for adblocking and for your Antivirus.

O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)

With everything closed (nothing open except HijackThis) click the Fix Checked button.
Close HijackThis.

Click the Windows key and the E key on your keyboard to bring up Windows Explorer.
Look in Program Files for SecurityToolbar folder:
C:\Program Files\Security Toolbar
Delete the entire Security Toolbar folder.
Close Windows Explorer
Empty your recycle bin.

Reboot normally and scan with Hijack This, save the log and paste it here.
I want to be sure you are squeeky clean, before we finish up.

Please also let me know if you are having any problems.

I'll be watching for your reply.
Piney
Retired Graduate
 
Posts: 936
Joined: July 24th, 2005, 2:39 pm

Unread postby NonSuch » December 14th, 2005, 3:39 am

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 158 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware