Hello

Several weeks ago ,my wife let a friend of hers use my computer..... Afterwards I ran Adware SE and it showed up a Possible Browser Hijacker with a link to E Gold.

Well my E Gold account is OK but for 5 days my SAFe Mail Email account completely dissappeared, then came back for a day then disappeared again for another 4 days. But it has come back OK now.

As well as that the E Gold disappeared from my Favorites.

Next I tried to find some programs that were free , to get rid of whatever I had on my computer.

This Win Anti virus came up on my browser...... I ran a free scan and it told me I had 2 extremely risky Trojans ( Custom Toolbar and Trojan Fakealert.AQ. To get rid of them they wanted me to pay $ 49.95

So then I tried Tojan Hunter......... Tojans found.... Adware Buddy.101 and Adware. TryMedia.100. Then I found that they too wanted me to pay to get them removed.

I got a free scan at X spyware too and that one says I got a Hijacker .... Martfinder and twain Tech.

After a few days I found this forum and was reading about Hijack this. Well I went to download it and I must have got a mix up as I ended up downloading a program called " Spy on this " . Well I did the free scan and now I have a list of 80 trojans and Hijackers and goodness I dont know what else and then I found out that I have to buy it to get rid of everything...

So today I decided to Download " Hijackthis and send you people the log.

Dismay, dismay. The page cant be found . error page is all I get.

Please could someone tell me what I should do next.

I have just run Hijackthis..... Here is the Logfile

Logfile of HijackThis v1.99.1
Scan saved at 4:00:47 PM, on 5/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\e-Sword\e-Sword.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safe-mail.com/
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - blank (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe"
O4 - HKLM\..\Run: [xSpyware] C:\Program Files\xSpyware\xSpyware.Exe
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add Content To YMMSS Reader - res://C:\Program Files\YMMSS Reader\Tristana.exe/AddContent.js
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metrobankdirect.com/download/Au...VBAuthentic.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.talkingcommunities.com/client3/ivsetup3.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.click2translate.com/modules/ocx/XUpload.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CC7E0D3-69BA-4255-8490-2D5D6203AC87}: NameServer = 58.69.254.4 58.69.254.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




Kind Regards

Nigel

Hi Nigler,

Update Java:

• Go to Start > Control Panel double-click on the Software icon > add/remove programs.
• Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  
  It should have next icon next to it:
  Select it and click Remove.
• Then Download and install the newest version from here:
  http://www.java.com/en/download/manual.jsp

Please create a list of programs that can be removed using Add/Remove Programs
Start HiJackThis. Click "Config"->"Misc Tools"->"Open Uninstall Manager" ->"Save List".
Save the log to a convenient location, and copy it into this thread.

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

Go to Online malware scan and submit C:\WINDOWS\system32\spider.exe.

Tell me the result.

Good Evening Bobbi Flekman

Thankyou for your time and willingness to help me.

I have done as you suggested, except I dont know how to move Hijack this from the Tempory Folder to the Permanent Folder I made for it.

List of Programs

7 Wonders of the World (remove only)
Ad-Aware SE Personal
Adobe Acrobat 7.0.1 and Reader 7.0.1 Update
Adobe Acrobat 7.0.2 and Reader 7.0.2 Update
Adobe Reader 7.0
AVG Free Edition
Beshaped
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Web-To-Page
ES C43 Problem Solver
ESC45 Reference Guide
ESC45 Software Guide
e-Sword
Google Earth
HijackThis 1.99.1
Homespun Collection
Intel® Extreme Graphics Driver
International Conference 5.8.4.2
iVocalize Internet Conference 3
J2SE Runtime Environment 5.0 Update 6
Java Web Start
Macromedia Flash Player 8
Microsoft Data Access Components KB870669
Microsoft Office Standard Edition 2003
Mystery Case Files - Prime Suspects (remove only)
Picasa 2
PIF DESIGNER2.1
Print Artist 2003
Sandlot Games Client Services
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
SierraAddressBook 3.0
SoftV92 Voice Modem with SmartCP
SoundMAX
Spy Sweeper
Spybot - Search & Destroy 1.4
SpyOnThis 1.0
TrojanHunter 4.5
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
WinAce Archiver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip
xSpyware 1.4.2
Yahoo! Address AutoComplete
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar
YMMSS Reader 3.0
ZoneAlarm

These Programs can be Deleted

7 Wonders of World
Mystery case Files
Sandlot Games
Spysweeper
Trojan Hunter
Xspyware
Yahoo Toolbar
Ymmss Reader

These Programs I dont know Why I have them

Homespun Collection
PIF Designer
Sierra Address Book
Softv92 Voice Modem
SoundMax

I ran the Online Malware scan

Results

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Looking forward to hearing from you

Kind Regards

Nigel

Hi Nigler,

Extract the archive, don't double click on the HijackThis.exe inside.

Open "Add/Remove Programs" in the Control Panel. Select the following items:

• xSpyware 1.4.2

and click "Remove" for each of them. If one of the uninstallers wants to download stuff or needs an Internet connection, skip that one and report them to me.

Please post a new log from HijackThis.

Hi

Here is the new log


Logfile of HijackThis v1.99.1
Scan saved at 6:43:44 PM, on 5/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safe-

mail.com/
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber

Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - blank (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} -

C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program

Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program

Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2

\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006

\WinAV.exe"
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion

Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"

/0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI

RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE

Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add Content To YMMSS Reader - res://C:\Program

Files\YMMSS Reader\Tristana.exe/AddContent.js
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber

Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2

\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber

Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a}

- file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) -

https://www.metrobankdirect.com/download/Au...VBAuthentic.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) -

http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3

Setup) - http://www.talkingcommunities.com/client3/ivsetup3.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02)

-
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) -

http://www.click2translate.com/modules/ocx/XUpload.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CC7E0D3-69BA-4255-8490-2D5D6203AC87}:

NameServer = 58.69.254.4 58.69.254.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1

\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1

\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON

CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program

Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Kind Regards

Nigler

Hi Nigler,

Download WinSockFix and LSPFix.
Start the application, and click the "I know what I'm doing" checkbox.
Check all instances of c:\program files\winantivirus pro 2006\mailscan.dll (and nothing else), and move them to the "Remove" pane.
Then click Finish and reboot.

Check your internet connection and verify that it is working. In rare instances LSPFix may break your connection. If this happens, run WinSockFix to repair it.

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - blank (file missing)

O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006
\WinAV.exe"

There are restrictions set on Control Panel and Internet Explorer. If you or your system administrator has not set these restrictions, also check these items.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program

Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)


Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following folders in red (it could be that they are deleted already):

C:\Program Files\WinAntiVirus Pro 2006

Restart your computer and post a new log in this thread.

Good Morning..

I have done as you suggested....... but it was not as straight forward as it seemed

After downloading Win sock and LSP fix..... there were four names that showed up....winantivirus pro 2006 did not show up.

I ran Hijackthis and deleted all the listed names except the bottom one...... Files\winAntiVirus Pro 2006\FWSvc.exe.... Thid did Not show up

There were NO folders to delete in the Hidden Files section

Here is the Log file I ran last night


Logfile of HijackThis v1.99.1
Scan saved at 9:11:41 PM, on 5/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Companion Wizard\compwiz.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\Documents and Settings\Administrator\Local Settings\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.safe-mail.com/
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add Content To YMMSS Reader - res://C:\Program Files\YMMSS Reader\Tristana.exe/AddContent.js
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256} (VBAuthentic.Authentic) - https://www.metrobankdirect.com/download/Au...VBAuthentic.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/appdl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2} (iVocalize Internet Conference 3 Setup) - http://www.talkingcommunities.com/client3/ivsetup3.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.click2translate.com/modules/ocx/XUpload.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CC7E0D3-69BA-4255-8490-2D5D6203AC87}: NameServer = 58.69.254.4 58.69.254.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Kind Regards

Nigler

Hi Nigler,

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -

O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked". Restart your computer and post a new log in this thread.

Hi

I have Hijackthis saved to a Program Folder.....

I right click the Start button .... Explore then click ... Program files and there it is..

Have done as you said but that win anti virus is still there....

Can I delete these Programs, I dont use any of them.

.... Trojan hunter
..... Spy Sweeper .. It is uninstalled but not able to get rid of it.
...... Howudodat
...... Panda software
...... Pestscan
...... Aluria Software

Logfile of HijackThis v1.99.1
Scan saved at 8:07:03 PM, on 5/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Companion

Wizard\compwiz.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI

RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Gadwin

Systems\PrintScreen\PrintScreen.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.safe-mail.com/
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-

00400523e39a} - C:\Program Files\Siber Systems\AI

RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-

40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON

Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-

00400523e39a} - C:\Program Files\Siber Systems\AI

RoboForm\RoboForm.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-

994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-

To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F

-0090271D4F88} - C:\Program Files\Yahoo!

\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1

\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1

\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program

Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program

Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program

Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [THGuard] "C:\Program

Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!

\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program

Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber

Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program

Files\Gadwin Systems\PrintScreen\PrintScreen.exe

/nosplash
O4 - Startup: ASE Scheduler.lnk = C:\Program

Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add Content To YMMSS

Reader - res://C:\Program Files\YMMSS

Reader\Tristana.exe/AddContent.js
O8 - Extra context menu item: Customize Menu -

file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm Toolbar -

file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5

-00401C608501} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-

00400523e39a} - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -

{724d43aa-0d85-11d4-9908-00400523e39a} -

file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11

\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E

-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab -

http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256}

(VBAuthentic.Authentic) -

https://www.metrobankdirect.com/download/Authentic/VBAut

hentic.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) - C:\Program Files\Yahoo!

\Common\yinsthelper.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33}

(AppDLCtrl Class) -

http://download.howudodat.com/chatterbox/download/appdl.

cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}

(YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/su

ite/autocomplete.cab
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2}

(iVocalize Internet Conference 3 Setup) -

http://www.talkingcommunities.com/client3/ivsetup3.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003}

(Persits Software XUpload) -

http://www.click2translate.com/modules/ocx/XUpload.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D}

(Hotmail Attachments Control) -

http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CC7E0D3-69BA-

4255-8490-2D5D6203AC87}: NameServer = 58.69.254.4

58.69.254.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32

\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1

\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1

\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner

- C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file

missing)
O23 - Service: TrueVector Internet Monitor (vsmon) -

Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Kind regards

Nigler

Hi Nigler,

You can uninstall them.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Please post a new log from HijackThis after this.

Hi

I am sorry that this is taking so long.... We are in the final stages of building our dream house and some days I dont have any steam left to look at computer.... Neverless my computer is playing games with me.... After I switch it on the monitor light meter appears and the picture gets darker....so I brighten it up and click it so it disappears and then it reappears on its own accord and each time i click to get rid of it it just reappears and the light either dims or brightens on its own accord. Then this morning my computer just froze up.

I had to find out 'How to save that Regedit to the desk top..... Then when I did it and I clicked on Regedit on my desk top it just took me back to my Notepad.

I sure need your help and i appreciate it very much.

Kind Regards

Nigler

Hi Nigler,

Could it be that the monitor is giving up the ghost? And the house building should be top priority.... It's a computer, not a life ;)

I just learned that just about everytime WinAntiVirus is mentioned it is related to Vundo, so before continuing I want you to do the following.

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Good Morning

I have done as instructed but with no results

The Vundoo scan was negative

Logfile posted

Logfile of HijackThis v1.99.1
Scan saved at 6:21:11 AM, on 5/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Companion

Wizard\compwiz.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI

RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Gadwin

Systems\PrintScreen\PrintScreen.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.safe-mail.com/
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-

00400523e39a} - C:\Program Files\Siber Systems\AI

RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-

40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON

Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-

00400523e39a} - C:\Program Files\Siber Systems\AI

RoboForm\RoboForm.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-

994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-

To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F

-0090271D4F88} - C:\Program Files\Yahoo!

\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1

\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1

\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program

Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program

Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program

Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!

\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program

Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber

Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program

Files\Gadwin Systems\PrintScreen\PrintScreen.exe

/nosplash
O4 - Startup: ASE Scheduler.lnk = C:\Program

Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add Content To YMMSS

Reader - res://C:\Program Files\YMMSS

Reader\Tristana.exe/AddContent.js
O8 - Extra context menu item: Customize Menu -

file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm Toolbar -

file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5

-00401C608501} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-

00400523e39a} - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -

{724d43aa-0d85-11d4-9908-00400523e39a} -

file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11

\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E

-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab -

http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256}

(VBAuthentic.Authentic) -

https://www.metrobankdirect.com/download/Authentic/VBAut

hentic.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) - C:\Program Files\Yahoo!

\Common\yinsthelper.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33}

(AppDLCtrl Class) -

http://download.howudodat.com/chatterbox/download/appdl.

cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}

(YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/su

ite/autocomplete.cab
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2}

(iVocalize Internet Conference 3 Setup) -

http://www.talkingcommunities.com/client3/ivsetup3.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003}

(Persits Software XUpload) -

http://www.click2translate.com/modules/ocx/XUpload.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D}

(Hotmail Attachments Control) -

http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CC7E0D3-69BA-

4255-8490-2D5D6203AC87}: NameServer = 58.69.254.4

58.69.254.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32

\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1

\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1

\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner

- C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file

missing)
O23 - Service: TrueVector Internet Monitor (vsmon) -

Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Kind Regards

Nigler

Hi Nigler,

Ok...

So we're back to getting rid of "WinAntiVirus"
Launch Notepad, and copy/paste the box below into a new text file. Save it as Options.txt on your Desktop.



Download Registry Search and extract it. Doubleclick the icon to run and click on "Import...". Select the file you created above. Click "OK" and Registry Search will search the Registry and report what it finds. Post that here.

Hello Bobbi

Well this is a real education.... Yes I joined up to that bleeping Forum too and there is lots interesting stuff there.

Heres the Registry Log

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 5/14/2006 2:12:04 PM for strings:
; 'symantec'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_USERS


; End Of The Log...


After running this program I got this error report " This program is not responding "

I just run this again .


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 5/14/2006 3:38:28 PM for strings:
; 'symantec'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security

Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security

Center\Monitoring\SymantecFirewall]

; End Of The Log...



Hope this helps

Still have the light meter problem..... Its not my monitor giving in as its only a year old ... its an Hp 5500.

The light meter shows up and then does as it pleases...... my picture will go from bright to dark and then back again..... its like theres a teenagers sitting behind it playing a game.... and then after its had its fun it leaves us alone and now the computer has been on for several hours its ok.

Have a nice day

Kind Regards

Nigler

Hi Nigler,

??? What forum?

This isn't what I asked you to search for.

It's initializing...

I don't think I can help you with that. Simply because I have no clue on how to proceed with that. To me, it sounds like either the monitor is on its last legs, or that the driver is misbehaving...

Good Morning Bobbi

I have been re visiting your instructions.

I went back to "REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FWSvc]

When I double clicked on it i got this message

Registry Editor

Are you sure you want to add the info in C:\ Documents and settings \ administrator \ Desktop \ fixme.reg to the registry

Clicked YES

Then new message

Cannot import C:\Document and settings \admin \ desktop \fixme.reg . The specified file is not a registry script . You can only import binary registry files within the registry editor

Have re run the Reg Search..... Here is the Log

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 5/16/2006 12:01:55 PM for strings:
; 'options'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_USERS


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentV

ersion\Internet Settings\5.0\Cache\Extensible

Cache\MSHist012004110820041109]
"CacheOptions"=dword:0000000b

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows

NT\CurrentVersion\Windows]
"DebugOptions"="2048"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows

NT\CurrentVersion\Windows]
"DebugOptions"="2048"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows

NT\CurrentVersion\Windows]
"DebugOptions"="2048"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Google\NavClient\1.1\Options]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Google\NavClient\1.1\Options\CustomSearch]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Google\Picasa\Picasa2\Preferences]
"LastUsedOptionsPage"=dword:00000000

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Google\Picasa\Picasa2\Preferences\Collage]
"options"=dword:00000002

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\MediaPlayer\Setup\UserOptions]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Microsoft Games\Links Course

Challenge Chateau Whistler Edition\MultiPlayerOptions]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Microsoft Games\Links Course

Challenge Chateau Whistler Edition\Options]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\MSPaper 11.0\FindOptions]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0\Common\General]
"PasteOptions"=dword:00000001

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0\Common\MailSettings]
"AdvertisePictureOptionsCount"=dword:00000002

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Common\Research\Sources\{2418FD38-D4CD-45B5-935C-

2A9E4494C32F}\{A8BA8760-E619-11D3-8F5D-00C04F9CF4A0}]
"OptionsPath"="internal:Translation"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Common\Research\Sources\{2418FD38-D4CD-45B5-935C-

2A9E4494C32F}\{A8BA8764-E619-11D3-8F5D-00C04F9CF4A0}]
"OptionsPath"="internal:Translation"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Common\Research\Sources\{2418FD38-D4CD-45B5-935C-

2A9E4494C32F}\{A8BA8765-E619-11D3-8F5D-00C04F9CF4A0}]
"OptionsPath"="internal:Translation"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Common\Research\Sources\{2418FD38-D4CD-45B5-935C-

2A9E4494C32F}\{FAD473D6-E564-11D3-8F5D-00C04F9CF4A0}]
"OptionsPath"="internal:Translation"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Common\Research\Sources\{2418FD38-D4CD-45B5-935C-

2A9E4494C32F}\{FBBBB79E-9F02-4E5A-BA58-3674A1919488}]
"Description"="Includes installed bilingual

dictionaries, online bilingual dictionaries, and online

machine translation services. To enable or disable a

specific translation source, use the Translation Options

link."
"OptionsPath"="internal:Translation"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0\Excel\Options]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0\OIS\Options]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0\Outlook\Options]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Outlook\Options\Calendar]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Outlook\Options\General]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0\Outlook\Options\Mail]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Outlook\Options\MSHTML]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Outlook\Options\MSHTML\International]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0\PowerPoint\Options]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0\Word\Options]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0\Word\Options]
; Contents of value:
;
























 


 
 



#

"WordMailACOptions"=hex:00,01,01,01,01,01,01,01,00,01,01

,01,01,01,01,01,01,01,\


01,00,01,00,01,00,01,01,01,01,01,01,00,02,00,03,01,03,01

,03,01,03,00,03,01,\
02,00,03,01,03,01,03,01,03,01,00,00,23,01

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Office\11.0

\Word\Options\OutlookEditor]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Shared Tools\Proofing

Tools\Grammar\MSGrammar\3.0\1033]
"Options Version"=dword:00000001

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Shared Tools\Proofing

Tools\Grammar\MSGrammar\3.0\2057]
"Options Version"=dword:00000001

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Shared Tools\Proofing

Tools\Grammar\MSGrammar\3.0\3081]
"Options Version"=dword:00000001

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Solitaire]
"Options"=dword:0000005f

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500

\Software\Microsoft\Windows\CurrentVersion\Applets\Volum

e Control\Options]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500

\Software\Microsoft\Windows\CurrentVersion\Applets\Wordp

ad\Options]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Windows\CurrentVersion\Device

Installer]
"SearchOptions"=dword:0000021e

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500

\Software\Microsoft\Windows\CurrentVersion\Explorer\ComD

lg32\OpenSaveMRU\*]
"c"="C:\\Program Files\\Options.txt"
"d"="C:\\Documents and

Settings\\Administrator\\Desktop\\Options.txt"
"i"="C:\\Program Files\\Webroot\\Options.txt"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500

\Software\Microsoft\Windows\CurrentVersion\Explorer\ComD

lg32\OpenSaveMRU\txt]
"c"="C:\\Documents and

Settings\\Administrator\\Desktop\\Options.txt"
"e"="C:\\Program Files\\Webroot\\Options.txt"
"f"="C:\\Program Files\\Options.txt"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\5.0\Cache\Extensible

Cache\MSHist012006050120060508]
"CacheOptions"=dword:0000000b

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\5.0\Cache\Extensible

Cache\MSHist012006050820060515]
"CacheOptions"=dword:0000000b

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\5.0\Cache\Extensible

Cache\MSHist012006051520060516]
"CacheOptions"=dword:0000000b

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\5.0\Cache\Extensible

Cache\MSHist012006051620060517]
"CacheOptions"=dword:0000000b

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\5.0\Cache\Extensible Cache\UserData]
"CacheOptions"=dword:00000008

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-31361"="Provides options for you to

customize the appearance and functionality of your

computer."
"@C:\\WINDOWS\\system32\\SHELL32.dll,-31361"="Provides

options for you to customize the appearance and

functionality of your computer."
"@C:\\WINDOWS\\system32\\SHELL32.dll,-22985"="Folder

Options"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\Microsoft\Windows

NT\CurrentVersion\Windows]
"DebugOptions"="2048"

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\TrojanHunter\CleanOptions]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\TrojanHunter\ReportOptions]

[HKEY_USERS\S-1-5-21-2234596607-4209202731-2920025175-

500\Software\TrojanHunter\ScanOptions]

[HKEY_USERS\S-1-5-18

\Software\Microsoft\Windows\CurrentVersion\Internet

Settings\5.0\Cache\Extensible

Cache\MSHist012004110820041109]
"CacheOptions"=dword:0000000b

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows

NT\CurrentVersion\Windows]
"DebugOptions"="2048"

; End Of The Log...





I hope this is of some help

Nigler

Hi Nigler,

You didn't save the file as plain ASCII. Copy/paste the data again, and on the Save As dialog select "All Files" as Filetype. then save it as FixMe.reg. Try it again afterwards.

You ran RegSearch with the wrong parameters. Start RegSearch and enter FWSvc in the box under the Search strings. Click "OK".

Hi

Here is the Reg Search Log

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 5/16/2006 8:15:31 PM for strings:
; 'fwsvc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Control\SafeBoot\Minimal\FWSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Control\SafeBoot\Network\FWSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Enum\Root\LEGACY_FWSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Enum\Root\LEGACY_FWSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Enum\Root\LEGACY_FWSVC\0000]
"Service"="FWSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Control\SafeBoot\Minimal\FWSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Control\SafeBoot\Network\FWSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Enum\Root\LEGACY_FWSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Enum\Root\LEGACY_FWSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Enum\Root\LEGACY_FWSVC\0000]
"Service"="FWSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\FWSvc]
; Contents of value:
; c:\program files\winantivirus pro 2006\fwsvc.exe

/service
"ImagePath"=hex

(2):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,5

7,69,6e,\


41,6e,74,69,56,69,72,75,73,20,50,72,6f,20,32,30,30,36,5c

,46,57,53,76,63,2e,\
65,78,65,20,2f,73,65,72,76,69,63,65,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Services\FWSvc\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Saf

eBoot\Minimal\FWSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Saf

eBoot\Network\FWSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L

EGACY_FWSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L

EGACY_FWSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L

EGACY_FWSVC\0000]
"Service"="FWSvc"

; End Of The Log...


Hope this is OK

Nigler

Hi Nigler,

Download RegDACL, and extract it.

Launch Notepad, and copy/paste the box below into a new text file. Save it as FixReg.bat and save it in the same folder as where you extracted RegDACL.



Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
Locate FixReg.bat in that folder and double-click on it.

Yep :) Can you post a new log from RegSearch after the instructions.

Hi Bobbi

Here is the RegSearch Log.

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 5/17/2006 9:19:55 PM for strings:
; 'fwsvc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Enum\Root\LEGACY_FWSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Enum\Root\LEGACY_FWSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001

\Enum\Root\LEGACY_FWSVC\0000]
"Service"="FWSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Enum\Root\LEGACY_FWSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Enum\Root\LEGACY_FWSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

\Enum\Root\LEGACY_FWSVC\0000]
"Service"="FWSvc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L

EGACY_FWSVC]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L

EGACY_FWSVC\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\L

EGACY_FWSVC\0000]
"Service"="FWSvc"

; End Of The Log...

Regards

Nigler

Dôh!!!!!!! I didn't tell you to run the file you created for RegDACL. Can you run that and afterwards rerun the RegScript.

Please post a new log from RegSearch after that.

G'day Bobbi...... You must get frustrated with people like me, who dont know anything at all about computers. You must have the patience of Job .

What do I do now ??????? None of what you said made sense to me......

" Can you run that and afterwards rerun the RegScript."

What do I Run and what is Reg Script ???????

You will have to spell it out in simple english....make it easy to follow.

Kind Regards

Nigler

Hey Nigler,

I had made a mistake in the last post I made, I had you copy and paste something as a batch file (file ending in .bat) and one as a RegScript (file ending in .reg) But I never told you to run the batchfile. Therefore some entries in the Registry couldn't be removed. I'll just rephrase the entire post, so you can follow it from top to bottom ;)
---
Download RegDACL, and extract it.

Launch Notepad, and copy/paste the box below into a new text file. Save it as FixReg.bat and save it in the same folder as where you extracted RegDACL.



Doubleclick on FixReg.bat to execute it.

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

The above Registry file was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
Locate FixReg.bat in that folder and double-click on it.

Please post a new log from RegSearch after the instructions.

Hi Bobbi.

Managed all of that OK.

Surprised that the log was clean..... Hope I didnt miss anything.


REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 5/20/2006 6:26:58 AM for strings:
; 'fwsvc'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

I got a feeling I missed something....this log should have a page of code on it.

Im sure I did exactly as instructed

Kind Regards

Nigler

Hi Nigler,

You did fine! I asked for the log to have the confrimation that it really had been deleted. And it did.

Could you post a log from HijackThis as a final checkup. How's the system?

Hi Bobbi

Thanks, Yes my computer is running good now.

Hijackthis log enclosed


Logfile of HijackThis v1.99.1
Scan saved at 9:17:24 AM, on 5/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Common Files\Companion

Wizard\compwiz.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI

RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Gadwin

Systems\PrintScreen\PrintScreen.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.safe-mail.com/
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-

00400523e39a} - C:\Program Files\Siber Systems\AI

RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-

D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-

40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON

Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-

00400523e39a} - C:\Program Files\Siber Systems\AI

RoboForm\RoboForm.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-

994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-

To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F

-0090271D4F88} - C:\Program Files\Yahoo!

\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1

\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1

\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program

Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [PicasaNet] "C:\Program

Files\Hello\Hello.exe" -b
O4 - HKLM\..\Run: [CompanionWizard] "C:\Program

Files\Common Files\Companion Wizard\compwiz.exe" /silent
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program

Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!

\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program

Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32

\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber

Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.1] C:\Program

Files\Gadwin Systems\PrintScreen\PrintScreen.exe

/nosplash
O4 - Startup: ASE Scheduler.lnk = C:\Program

Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add Content To YMMSS

Reader - res://C:\Program Files\YMMSS

Reader\Tristana.exe/AddContent.js
O8 - Extra context menu item: Customize Menu -

file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel

- res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: RoboForm Toolbar -

file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5

-00401C608501} - C:\Program Files\Java\jre1.5.0_06

\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-

00400523e39a} - file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar -

{724d43aa-0d85-11d4-9908-00400523e39a} -

file://C:\Program Files\Siber Systems\AI

RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-

3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11

\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E

-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab -

http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {09883431-7429-11D5-8B69-0050049F5256}

(VBAuthentic.Authentic) -

https://www.metrobankdirect.com/download/Authentic/VBAut

hentic.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB}

(YInstStarter Class) - C:\Program Files\Yahoo!

\Common\yinsthelper.dll
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33}

(AppDLCtrl Class) -

http://download.howudodat.com/chatterbox/download/appdl.

cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.c

ab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999}

(YAddBook Class) -

http://us.dl1.yimg.com/download.yahoo.com/dl/installs/su

ite/autocomplete.cab
O16 - DPF: {C2F38867-251C-4216-9B1C-BBE89B8700E2}

(iVocalize Internet Conference 3 Setup) -

http://www.talkingcommunities.com/client3/ivsetup3.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003}

(Persits Software XUpload) -

http://www.click2translate.com/modules/ocx/XUpload.ocx
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D}

(Hotmail Attachments Control) -

http://by24fd.bay24.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{5CC7E0D3-69BA-

4255-8490-2D5D6203AC87}: NameServer = 58.69.254.4

58.69.254.9
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32

\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1

\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1

\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2

(EPSONStatusAgent2) - SEIKO EPSON CORPORATION -

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: TrueVector Internet Monitor (vsmon) -

Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Be blessed

Nigler

hi Nigler,

This log looks clean!

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....