Need Help Please

[fleka]

My virus program shows two infections that it won't heal

Trojan_Downloader.VBS.Iwill.g and
Trojan_Clicker.Win32,Delf.bc

I also ran house call and came up with the following

Java_Bytever.C and
Troj_Delf.KF

Please help.......thanks

[tetonbob]

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

Download the newest version of HijackThis at http://www.greyknight17.com/spy/HijackThis.exe and run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Get HijackThis Analyzer http://www.greyknight17.com/spy/KRC%...20Analyzer.zip and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in 'y' if you agree. The 'result.txt' file will open up in Notepad. Copy the whole result.txt log and post it in the forum. You don't need to post the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.

[fleka]

Sorry it took me so long to get this done.....family trouble

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 3:02:12 PM, on 20/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Shaw Secure\FSGUI\ispnews.exe
C:\Program Files\Shaw Secure\FSGUI\fsguiexe.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\hzy53s4s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\hzy53s4s.slt\prefs.js)
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - Unknown owner - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE


End of KRC HijackThis Analyzer Log.
====================================================================

[tetonbob]

Sorry about the family trouble. Hope all is well. Not much showing in that log....

Run HJT and fix the following entry:

O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

[fleka]

I can't run the TDS-3.....it tells me that evaluation period has expired :-(

[greyknight17]

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

[fleka]

Well, pretty obvious my virus protection provided by my internet company isn't doing a very good job :-(


File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.

File System Found infected by "saap Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Narrator Spyware/Adware" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken
File C:\WINDOWS\system32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.

File C:\HJT\backups\backup-20050421-100934-494.dll tagged as not-a-virus:RiskWare.Downloader.OTXloader. No Action Taken.

File C:\hp\bin\Terminator.exe tagged as not-a-virus:RiskWare.Tool.KillApp. No Action Taken.

File C:\hp\bin\win32all-146.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Diet K\dk\dietk3.dat infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.

File C:\Program Files\Netscape\Netscape\plugins\npwthost.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

File C:\q123.vbs infected by "Trojan-Downloader.VBS.Iwill.g" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\Downloaded Program Files\imloader.exe tagged as not-a-virus:RiskWare.Downloader.ImLoader.b. No Action Taken.

File C:\WINDOWS\Downloaded Program Files\m4n.dll infected by "Trojan-Clicker.Win32.Delf.bc" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\psis80ex.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.

[tetonbob]

Make sure WildTangent has been removed from your add/remove programs.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknight17.com/spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Download KillBox

Run Killbox. Paste the following locations into Killbox one at a time. Checkmark the box that says "Delete on Reboot", "Unload Explorer shell" and checkmark the box "Unregistered DLL" (If available) Click the RED X; first it will ask you to confirm the file to delete on reboot, click YES. Next it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\woinstall.exe
C:\WINDOWS\system32\psis80ex.ax
C:\HJT\backups\backup-20050421-100934-494.dll
C:\Program Files\Netscape\Netscape\plugins\npwthost.dll
C:\q123.vbs
C:\WINDOWS\Downloaded Program Files\imloader.exe
C:\WINDOWS\Downloaded Program Files\m4n.dll
C:\WINDOWS\system32\psis80ex.ax

Now run HJT and post a new log. Also run mwav again, and post a new log from that as well.

Please download Ad-aware at http://www.lavasoftusa.com/ and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go to http://www.lavasoftusa.com/software/...2cleaner.shtml to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware at http://www.greyknight17.com/spyware.htm#adaware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D http://security.kolla.de/. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident and make sure that TeaTimer is checked. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Now click on the 'Spybot-S&D' option on the top left to go back to the main screen. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the 'Fix Selected Problems' button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix http://majorgeeks.com/download4392.html and install it over the current Spybot installation.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

A good free AV program, AVG is available. Download, install, update and run a full scan.

Another is Avast!

[fleka]

I am trying to delete files in Killbox but I don't have the check boxes that you are talking about.....all I have are the following

Standard File Kill
Delete on Reboot
Replace on Reboot
End Explorer Shell While Killing File

???????

[tetonbob]

Hi fleka -

Sorry for any confusion...I must amend my speech.

Exchange End Explorer Shell While Killing File for Unload Explorer shell.

Unregister DLL before deleting will only be available if the file you enter into Killbox is a dll file. And even then, not always.... If you are entering an exe file, the box will remain greyed out. If this is not available, don't worry, just proceed.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox. First it will ask you to confirm the file to delete on reboot, click YES. Next it will ask to reboot now...click NO...and proceed with the next file.(hitting the X button for each file - choose NO when it asks if you want to reboot) Once you get to the last one click YES and it will reboot:

C:\WINDOWS\woinstall.exe
C:\WINDOWS\system32\psis80ex.ax
C:\HJT\backups\backup-20050421-100934-494.dll
C:\Program Files\Netscape\Netscape\plugins\npwthost.dll
C:\q123.vbs
C:\WINDOWS\Downloaded Program Files\imloader.exe
C:\WINDOWS\Downloaded Program Files\m4n.dll
C:\WINDOWS\system32\psis80ex.ax

Then proceed with the rest of the instructions, please.

[fleka]

Logfile of HijackThis v1.99.0
Scan saved at 12:19:53 PM, on 23/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\USB Storage RW\shwicon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\Shaw Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
C:\Program Files\Shaw Secure\Anti-Virus\fssm32.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
C:\Program Files\Shaw Secure\Common\FSMA32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Shaw Secure\Common\FSMB32.EXE
C:\Program Files\Shaw Secure\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Shaw Secure\Common\FAMEH32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Shaw Secure\FSPC\fspc.exe
C:\Program Files\Shaw Secure\Anti-Virus\fsav32.exe
C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
C:\Program Files\Shaw Secure\FSGUI\fsguiexe.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.ca/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\hzy53s4s.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\hzy53s4s.slt\prefs.js)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Show website &list - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Suspend Webpage Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F02} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Deny this website - {200DB664-75B5-47c0-8B45-A44ACCF73F03} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: &Allow this website - {200DB664-75B5-47c0-8B45-A44ACCF73F04} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Shaw Secure - Unknown - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: F-Secure Gatekeeper Handler Starter - Unknown - C:\Program Files\Shaw Secure\Anti-Virus\fsgk32st.exe
O23 - Service: fsbwsys - Unknown - C:\Program Files\Shaw Secure\backweb\3875767\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon - F-Secure Corporation - C:\Program Files\Shaw Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure HTTP Server - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Shaw Secure\Common\FSMA32.EXE
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[fleka]

File System Found infected by "SideFind Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "saap Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Narrator Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\hp\bin\Terminator.exe tagged as not-a-virus:RiskWare.Tool.KillApp. No Action Taken.
File C:\hp\bin\win32all-146.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Diet K\dk\dietk3.dat infected by "not-a-virus:AdWare.Cydoor" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP3\A0000187.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP3\A0000188.ax infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.

File C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP3\A0000189.dll tagged as not-a-virus:RiskWare.Downloader.OTXloader. No Action Taken.

File C:\System Volume Information\_restore{DAC9DB1F-8BEF-451E-AB3B-6A67094EA198}\RP3\A0000190.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.

[tetonbob]

Please clear your System Restore Points by doing the following:

To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Now create a new Restore Point:

To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

Check to be certain a new System Checkpoint has been established. IF it hasn't (unlikely) manually create one.

I see that you have reverted to an older version of HJT...to eliminate any future confusion, please delete that version...keep only version 1.99.1


Check your Add/Remove programs for 180solutions, if present, uninstall.

Other than that, your log appears clean....how is your system running?

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

[fleka]

Thank you so much for your assistance,,,,,I thought I still had junk on here after looking at the mwav log.

I didn't find 180 solutions on Add/Remove programs so I guess it is gone

Other than that my system seems to be running a little slow....perhaps I will do another defrag

Again ,,,,thank you