pop up without ceasing ads1.revenue.net

[seethoe]

The above keeps on popping up and my IE and PC slows down alot. I've used many spyware to remove but still could not. I used to have elite.bar but somehow i think it was removed.

I used the Hijack This Analyzer and this is the result.txt file content. Please help me.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:09:19 AM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\PROGRA~1\SPYWAR~2\swdoctor.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = my
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit32.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .php: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/4...l/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE (file missing)


End of KRC HijackThis Analyzer Log.
=====================================

[greyknight17]

Welcome to TSF.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro http://uk.trendmicro-europe.com/ente...all_launch.php. Just follow the instructions on the site to run the online scan. If any viruses/trojans are detected, try to delete or clean them in that site. You may use Panda ActiveScan also at http://www.pandasoftware.com/products/activescan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Reboot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = my
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit 32.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {43331111-1111-1111-1111-611111195622} - file://c:\ex.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

Do a search for these two and see if you can find them and delete them. Make sure that they are spelled exactly as shown here. Do not delete any other similarly named files:

userinit32.exe
slserves.exe

Delete this file -> C:\WINDOWS\System32\vbsys2.dll

Reboot into Normal Mode run a new HijackThis scan. Save the log file and post it here.

[seethoe]

Hi! Thanks for the quick reply and i've done as advised. below is the log file... but the ads.revenue.net pop-ups still comes, here's the log file:

Logfile of HijackThis v1.99.1
Scan saved at 4:32:50 PM, on 5/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteczn32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune3.5.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O12 - Plugin for .php: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/4...l/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~2\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE (file missing)

==============

Please help again... thanks ;)

[jgvernonco]

We need to look a little deeper, so let's try this...

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

And just in case that is not enough...

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

[seethoe]

Thanks for the reply and i've done the MVAV and Startdrek. Appreciate it. The log files as below:
==================================
MVAV Log File

File C:\windows\system32\eliteczn32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "EliteBar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "EliteBar Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\MSXML3A.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{44BE1747-DC65-4261-904F-17CA43E212B4}" refers to invalid object "D:\launch.ocx". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{A6616B31-4860-41E2-98E3-CA7649AF172F}" refers to invalid object "D:\launch.ocx". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{E9996309-363E-4AE4-B012-B5F8BB638FF7}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\DefUpdateCheck.dll". Action Taken: No Action Taken.

Entry "HKCR\GTDOWNLS.GTDownloaderCtrl" refers to invalid object "{FC6703A7-5B7E-4f58-BE6D-2693AA3906AE}". Action Taken: No Action Taken.

File C:\WINDOWS\internt.exe infected by "Trojan.Win32.Dialer.eb" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\System32\a infected by "Trojan-Downloader.BAT.Ftp.j" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\System32\elitefyn32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\System32\elitekcs32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\System32\elitenuk32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\System32\eliteovc32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\System32\elitepjg32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\elitexie32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\System32\elitexut32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\System32\eliteyda32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\DOCUME~1\TIMOTH~2.TIM\LOCALS~1\Temp\uninstall.exe tagged as "not-a-virus:AdWare.ToolBar.EliteBar.q". Action Taken: No Action Taken.

File C:\Documents and Settings\Timothy See Thoe.TIMOTHY\Local Settings\Temp\uninstall.exe tagged as "not-a-virus:AdWare.ToolBar.EliteBar.q". Action Taken: No Action Taken.

File
File C:\Program Files\Parsons Technology\QuickVerse\QuickVerse\application kill.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Parsons Technology\QuickVerse\QuickVerse\move.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Parsons Technology\QuickVerse\QuickVerse\qv6_unin.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Yahoo!\Installs\ymsgrie.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Software Download Area\acts411.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Software Download Area\Belcat.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Software Download Area\IPIX ActiveX.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Software Download Area\r3dicons.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Download Area\toolvox917.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\System Volume Information\_restore{76FCEC9C-C4F7-47C7-91ED-6D06DD12E0AA}\RP36\A0003970.pif infected by "Email-Worm.Win32.NetSky.d" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004113.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004131.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.

File C:\Windows\EliteSideBar\EliteSideBar 08.dll tagged as "not-a-virus:AdWare.ToolBar.EliteBar.z". Action Taken: No Action Taken.

File C:\Windows\EliteToolBar\EliteToolBar version 60.dll tagged as "not-a-virus:AdWare.ToolBar.EliteBar.af". Action Taken: No Action Taken.

File C:\Windows\internt.exe infected by "Trojan.Win32.Dialer.eb" Virus! Action Taken: No Action Taken.

File C:\Windows\SYSTEM32\a infected by "Trojan-Downloader.BAT.Ftp.j" Virus! Action Taken: No Action Taken.

File C:\Windows\SYSTEM32\elitefyn32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\Windows\SYSTEM32\elitekcs32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\Windows\SYSTEM32\elitenuk32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\Windows\SYSTEM32\eliteovc32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\Windows\SYSTEM32\elitepjg32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\Windows\SYSTEM32\elitexie32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\Windows\SYSTEM32\elitexut32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

File C:\Windows\SYSTEM32\eliteyda32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.

===========end of MVAV log ===============

StartDreck (build 2.1.7 public stable) - 2005-05-23 @ 09:00:12 (GMT +08:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 1)
Internet Explorer: 6.0.2800.1106
Logged in as Timothy See Thoe at TIMCAROLPC

»Registry
»Run Keys
»Current User
»Run
*H/PC Connection Agent="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
*Spyware Doctor="C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*EPSON Stylus Photo R310 Series=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
*SSC_UserPrompt=C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
*checkrun=C:\windows\system32\eliteczn32.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Microsoft Windows Media Player 6.4/{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Microsoft Windows Media Player 8/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
»Browser Helper Objects (LM)
*{53707962-6F74-2D53-2644-206D7942484F}
`InprocServer32=C:\PROGRA~1\SPYBOT~1\SDHelper.dll
*PCTools Site Guard/{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
`InprocServer32=C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
*Google Toolbar Helper/{AA58ED58-01DD-4d91-8333-CF10577473F7}
`InprocServer32=c:\program files\google\googletoolbar1.dll
*PCTools Browser Monitor/{B56A7D7D-6927-48C8-A975-17DF180C71AC}
`InprocServer32=C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton AntiVirus\NavShExt.dll
»Internet Explorer
»Current User
*Local Page=C:\WINDOWS\System32\blank.htm
*Search Bar=http://www.google.com/ie
*Search Page=http://www.google.com
*Start Page=about:blank
+SearchUrl
*provider=gogl
*=http://www.google.com/keyword/%s
»Default User
»Local Machine
*Default_Page_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/
*Start Page=about:blank
*CustomizeSearch=http://www.microsoft.com
*SearchAssistant=http://www.microsoft.com
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\System32\stobject.dll
*UPnPMonitor={e57ce738-33e8-4c51-8354-bb4de9d215d1}
`InprocServer32=C:\WINDOWS\System32\upnpui.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\SYSTEM32\Userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Timothy See Thoe.TIMOTHY\Start Menu\Programs\Startup\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
*C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
*C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Startup\Color Calibration.lnk
*C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Startup\MagicTune3.5.lnk
*C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
*C:\WINDOWS\Profiles\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
*C:\msdos.sys
`[Paths]
`WinDir=C:\MSDOS7
`WinBootDir=C:\MSDOS7
`[Options]
`LOGO=0
`BootGUI=0
*C:\config.sys
`REM Setup Generated File.
*C:\WINDOWS\System32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\System32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\System32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\WINDOWS\System32\TASKMGR.COM
*C:\WINDOWS\System32\taskmgr.exe
+C:\WINDOWS\System32\notepad.exe
*C:\WINDOWS\notepad.exe
+C:\WINDOWS\System32\taskman.exe
*C:\WINDOWS\taskman.exe
+C:\WINDOWS\System32\winhlp32.exe
*C:\WINDOWS\winhlp32.exe
+C:\WINDOWS\REGEDIT.COM
*C:\WINDOWS\regedit.exe
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+548=\SystemRoot\System32\smss.exe
+596=\??\C:\WINDOWS\system32\csrss.exe
+620=\??\C:\WINDOWS\system32\winlogon.exe
+664=C:\WINDOWS\system32\services.exe
+676=C:\WINDOWS\system32\lsass.exe
+836=C:\WINDOWS\system32\svchost.exe
+860=C:\WINDOWS\System32\svchost.exe
+952=C:\WINDOWS\System32\svchost.exe
+968=C:\WINDOWS\System32\svchost.exe
+1320=C:\WINDOWS\Explorer.EXE
+1348=C:\WINDOWS\system32\spoolsv.exe
+1712=C:\WINDOWS\System32\alg.exe
+1748=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
+1828=C:\Program Files\Norton AntiVirus\navapsvc.exe
+1952=C:\WINDOWS\System32\tcpsvcs.exe
+2004=C:\WINDOWS\system32\slserv.exe
+120=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
+300=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+364=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
+1496=C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
+1512=C:\Program Files\Spyware Doctor\swdoctor.exe
+1444=C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
+388=C:\Program Files\Nikon\NkView6\NkvMon.exe
+188=C:\WINDOWS\System32\svchost.exe
+2756=C:\Program Files\Internet Explorer\iexplore.exe
+3388=C:\Program Files\StartDreck\StartDreck.exe
+3476=C:\WINDOWS\system32\NOTEPAD.EXE
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User
============================

How come my AntiVirus did not detect so many viruses?

[seethoe]

moving this up ;) Thanks for the advise given... but still need help..

[POADB]

WARNING!! This tool should be run from safe mode only. It will not be able to delete files in use by Windows, so running it from a regular windows session is useless. A readme is included with complete details on the tool and the malware it removes.

ETRemover.zip

Rescan with mwav.exe while in Safe Mode (after the above tool has been run) and then reboot back to normal mode and run another StartDreck. Bring the logs back with you in your next post, including an update of how things are.

[seethoe]

Hi! I do not have permission to download the file. but i'll run my anti-virus is safe mode then i'll do the mvav in safe mode and then run the startdreck in normal mode...

[POADB]

Download ETRemover from here: http://www.simplytech.it/ETRemover/ETRemover_v130.zip

It needs to be run in Safe Mode. After you have run this tool, run a new mwav.exe scan and report back with the logs.

[seethoe]

I've run the ETRemover at Safe Mode and then the MVAV at Safe Mode. Please help since MVAV still finds viruses. Here's the log file of MVAV:

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{44BE1747-DC65-4261-904F-17CA43E212B4}" refers to invalid object "D:\launch.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A6616B31-4860-41E2-98E3-CA7649AF172F}" refers to invalid object "D:\launch.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E9996309-363E-4AE4-B012-B5F8BB638FF7}" refers to invalid object "C:\Program Files\Common Files\Symantec Shared\DefUpdateCheck.dll". Action Taken: No Action Taken.
Entry "HKCR\GTDOWNLS.GTDownloaderCtrl" refers to invalid object "{FC6703A7-5B7E-4f58-BE6D-2693AA3906AE}". Action Taken: No Action Taken.
File C:\Program Files\Parsons Technology\QuickVerse\QuickVerse\application kill.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Parsons Technology\QuickVerse\QuickVerse\move.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Parsons Technology\QuickVerse\QuickVerse\qv6_unin.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\Installs\ymsgrie.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Download Area\acts411.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Download Area\Belcat.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Download Area\IPIX ActiveX.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Download Area\r3dicons.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Software Download Area\toolvox917.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{76FCEC9C-C4F7-47C7-91ED-6D06DD12E0AA}\RP36\A0003970.pif infected by "Email-Worm.Win32.NetSky.d" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004113.dll infected by "Trojan-Clicker.Win32.Agent.ac" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004131.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004931.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004932.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004933.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004934.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004935.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004936.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004937.dll tagged as "not-a-virus:AdWare.ToolBar.EliteBar.z". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004938.dll tagged as "not-a-virus:AdWare.ToolBar.EliteBar.af". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004939.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004940.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP10\A0004941.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{FB511307-B782-4CBA-BB9F-61DCC7074E24}\RP12\A0007205.exe infected by "Trojan.Win32.Dialer.eb" Virus! Action Taken: No Action Taken.

[POADB]

Those Win32 Reboot references are ok,

Do you know how to clear your System Restore points. If so you can clear them now.

Retunr to TSF a new HJT scan and let us know how things are.

[seethoe]

i had a surgery last week, and i've just came back. Here's the latest HJT log, hope all's ok..:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:47 PM, on 6/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [EPSON Stylus Photo R310 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3F2.EXE /P30 "EPSON Stylus Photo R310 Series" /O6 "USB001" /M "Stylus Photo R310"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [PANDA ANTISPAM SERVER SERVICE] "C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PasSrv.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Color Calibration.lnk = ?
O4 - Global Startup: MagicTune3.5.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O12 - Plugin for .php: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/4...l/gtdownls.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Panda Antispam Server Service (PASSRV) - Unknown owner - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PaSSrv.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\pavsrv51.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Platinum 2005 Internet Security\PsImSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)
O23 - Service: WinPPPoverEthernet - Unknown owner - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE (file missing)

[POADB]

Your log is clean.

Please clear your System Restore Points by doing the following:

To turn off System Restore,Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Now create a new Restore Point:

To turn on System Restore,Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

[seethoe]

thanks! U guys r cool! Greatly appreciate all of you.