Tech Support Forum banner

CoolWWWSearch is driving me crazy

1309 Views 4 Replies 2 Participants Last post by  sUBs
Can anyone help me remove CoolWWWSearch from my Win XP machine.

Spybots S&D detects but can not delete it and CWShredder is not helping much either.

HijackThis log is below

Thanks

HC

Logfile of HijackThis v1.99.0
Scan saved at 15:02:43, on 24/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ZoomingHook.exe
C:\WINDOWS\system32\TCtrlIOHook.exe
C:\WINDOWS\system32\TPSMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\apivv32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HAMISH CHARLES\My Documents\Copied from Hard Drive\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E13F3FF4-7686-8A2F-D80E-02A8DFA5DCF6} - C:\WINDOWS\addqy.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [mfcvs32.exe] C:\WINDOWS\mfcvs32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [apivv32.exe] C:\WINDOWS\apivv32.exe
O4 - HKLM\..\RunOnce: [syseg32.exe] C:\WINDOWS\syseg32.exe
O4 - HKLM\..\RunOnce: [sdkfp.exe] C:\WINDOWS\sdkfp.exe
O4 - HKLM\..\RunOnce: [sysnn.exe] C:\WINDOWS\system32\sysnn.exe
O4 - HKLM\..\RunOnce: [appen32.exe] C:\WINDOWS\system32\appen32.exe
O4 - HKLM\..\RunOnce: [apist.exe] C:\WINDOWS\apist.exe
O4 - HKLM\..\RunOnce: [sysxn32.exe] C:\WINDOWS\system32\sysxn32.exe
O4 - HKLM\..\RunOnce: [atlut.exe] C:\WINDOWS\atlut.exe
O4 - HKLM\..\RunOnce: [ipaw.exe] C:\WINDOWS\system32\ipaw.exe
O4 - HKLM\..\RunOnce: [apioq.exe] C:\WINDOWS\apioq.exe
O4 - HKLM\..\RunOnce: [sysih32.exe] C:\WINDOWS\sysih32.exe
O4 - HKLM\..\RunOnce: [syshj.exe] C:\WINDOWS\syshj.exe
O4 - HKLM\..\RunOnce: [sysca.exe] C:\WINDOWS\system32\sysca.exe
O4 - HKLM\..\RunOnce: [javapu32.exe] C:\WINDOWS\javapu32.exe
O4 - HKLM\..\RunOnce: [ntnf.exe] C:\WINDOWS\system32\ntnf.exe
O4 - HKLM\..\RunOnce: [winhr.exe] C:\WINDOWS\winhr.exe
O4 - HKLM\..\RunOnce: [mswg.exe] C:\WINDOWS\mswg.exe
O4 - HKLM\..\RunOnce: [winbp32.exe] C:\WINDOWS\winbp32.exe
O4 - HKLM\..\RunOnce: [nettb32.exe] C:\WINDOWS\system32\nettb32.exe
O4 - HKLM\..\RunOnce: [ieuz.exe] C:\WINDOWS\ieuz.exe
O4 - HKLM\..\RunOnce: [iera.exe] C:\WINDOWS\system32\iera.exe
O4 - HKLM\..\RunOnce: [d3pv.exe] C:\WINDOWS\system32\d3pv.exe
O4 - HKLM\..\RunOnce: [winlx.exe] C:\WINDOWS\system32\winlx.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD366D9-733E-47C4-8B41-732BA964AC0B}: NameServer = 62.6.40.162 194.72.0.114
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
See less See more
Status
Not open for further replies.
1 - 5 of 5 Posts
Hello and Welcome to TSF!

Please subscribe to this thread to get immediate notification of fixes as soon as they are posted.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp!.exe - Install

About Buster.zip - Unzip to a new folder. Update About Buster & exit the program once that is completed.

CWShredder.exe
  1. Open CWShredder and click - I AGREE
  2. Click - Check For Update
  3. Close CWShredder after updating

Ewido Security Suite
  • Install Ewido Security Suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Double-click the icon on Desktop to launch Ewido
You will need to update Ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

ro.txt
Download it & rename it "ro.REG" (inclusive of the quotes)
Make sure you do not mistakenly rename it as ro.reg.txt (double extensions)


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next, reboot your computer in SafeMode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Double-click on ro.REG & answer YES when prompted to merge into the Registry


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vrehg.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\vrehg.dll/sp.html#10001

(FIX ALL R0 & R1 ENTRIES THAT LOOKS SIMILAR TO THIS - res://C:\WINDOWS\****.dll/sp.htm)

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E13F3FF4-7686-8A2F-D80E-02A8DFA5DCF6} - C:\WINDOWS\addqy.dll
O4 - HKLM\..\Run: [mfcvs32.exe] C:\WINDOWS\mfcvs32.exe
O4 - HKLM\..\Run: [apivv32.exe] C:\WINDOWS\apivv32.exe



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Start HijackThis & Go to Config> Misc Tools > Open ADS Spy
  1. Checkmark/tick - "Ignore Safe System Info Streams"
  2. Click the "Scan" button
  3. When it has finished scanning, checkmark/tick all that it found
  4. Click the "remove selected" button


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run CWShredder & click on Fix.

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click [Scan your PC] & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click [Scan Now]
  3. Enter your e-mail address & click [Scan Now] ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In your next post, please include fresh logs from:
  1. HiJackThis
    [*] Online scan
    [*] Antispyware.log
    [*] About Buster
    [*] Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
See less See more
Cws

Thanks very much for your help, I will let you know how I get on.

HC
Csw

Hi, I followed all the steps you recommended and it looks like it is fixed.

As you asked, I have attached all the fresh logs.

Let me know what you think and thank you for all your help so far, I am really grateful.

HC

HJT Log below

Logfile of HijackThis v1.99.0
Scan saved at 23:14:54, on 25/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E13F3FF4-7686-8A2F-D80E-02A8DFA5DCF6} - C:\WINDOWS\addqy.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [TOSHIBA Accessibility] C:\Program Files\TOSHIBA\Accessibility\FnKeyHook.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\TOSHIBA Applet\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\Toshiba\Windows Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [Zooming] ZoomingHook.exe
O4 - HKLM\..\Run: [TCtryIOHook] TCtrlIOHook.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [mfcvs32.exe] C:\WINDOWS\mfcvs32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [apivv32.exe] C:\WINDOWS\apivv32.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\syseg32.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Online Scan log is below

Incident Status Location

Adware:adware/searchaid No disinfected C:\DOCUMENTS AND SETTINGS\HAMISH CHARLES\FAVORITES\Only sex website.url
Spyware:spyware/petro-line No disinfected C:\DOCUMENTS AND SETTINGS\HAMISH CHARLES\FAVORITES\SITES ABOUT\Ab scissor.url
Adware:adware/navipromo No disinfected C:\WINDOWS\sdkkg32.exe
Dialer:dialer.bjp No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\USER AGENT
Adware:Adware/MyWay No disinfected C:\Documents and Settings\HAMISH CHARLES\My Documents\Copied from Hard Drive\Program Files\HiJackThis\backups\backup-20050204-182542-171.dll
Adware:Adware/MyWay No disinfected C:\Program Files\HiJackThis\backups\backup-20050204-182542-171.dll

Antispyware logfile is below

Machine=HCMLAPTOP
Time=Fri Aug 26 10:17:09 2005
Product Version=3, 0, 1, 22
OS Version=Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Internet Explorer/MSN/AOL Cache
Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in ''
Windows Temp Files
Delete History Items on Startup: Cleaned 'Windows Temp Files' in ''
Cookies
Delete History Items on Startup: Cleaned 'Cookies' in ''
Started Scanning
Programs in Memory
Finished Scanning
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning
Started Cleaning
Internet Explorer/MSN/AOL Cache
Delete History Items on Startup: Cleaned 'Internet Explorer/MSN/AOL Cache' in ''
Windows Temp Files
Delete History Items on Startup: Cleaned 'Windows Temp Files' in ''
Cookies
Delete History Items on Startup: Cleaned 'Cookies' in ''
Finished Cleaning
Started Scanning
Internet Cookies
CoolWebSearch Variants (CWShredder)
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Finished Scanning



AboutBuster logfile


AboutBuster 5.0 reference file 31
Scan started on [25/08/2005] at [23:46:06]
------------------------------------------------
Removed Stream! C:\WINDOWS\_default.pif:qoaaa
------------------------------------------------
Removed File! : C:\Windows\ejabn.dat
Removed File! : C:\Windows\fykjf.dll
Removed File! : C:\Windows\ltgpj.dat
Removed File! : C:\Windows\System32\cwjvi.dat
Removed File! : C:\Windows\System32\fqfty.dat
Removed File! : C:\Windows\System32\kjkss.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 23:46:40




Ewido log file is below
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 01:39:47, 26/08/2005
+ Report-Checksum: CD151FDF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{24E3BE10-F69B-E844-6C5C-4F99122C2344} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{792A038A-9C16-9885-5B25-CE939788172A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{818D123D-B7CF-1169-DD32-2310AD262479} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{85E6B001-B482-61AE-78C6-6EAE60D74D00} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{865E2CEC-DCDC-CF30-C932-8A491F233655} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8A50C2FE-C00E-0C19-DC1A-BCABABE155C3} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A7D90935-7D8E-3E5D-9E71-486D629FCAAD} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BF680029-9EFC-9F01-F3C3-ECC0A8DF53A1} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C54510FE-72AA-27FF-1198-0CC47906F451} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FC5F30D8-4A16-B1C4-CFF8-EE955DFA16A2} -> Spyware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\HAMISH CHARLES\My Documents\Copied from Hard Drive\Program Files\HiJackThis\backups\backup-20050204-182543-805.dll -> Spyware.MyWay : Cleaned with backup
C:\ms32.tmp -> TrojanDownloader.Small.azk : Cleaned with backup
C:\Program Files\AlertSpy\SpyWares\spydb.exe -> Spyware.AlexaBar : Cleaned with backup
C:\Program Files\AlertSpy\uninst.exe -> Spyware.AlexaBar : Cleaned with backup
C:\Program Files\HiJackThis\backups\backup-20050204-182543-805.dll -> Spyware.MyWay : Cleaned with backup
C:\Program Files\HiJackThis\backups\backup-20050825-231828-597.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\addea.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addel.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addmq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addoq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\adduk.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\addvi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apidd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiff32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiie32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apioq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiot.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apist.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiuh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apivv32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apixa.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appbf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apphc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apprm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appxt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlda32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlkl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlnn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlos.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlru.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlsi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlut.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crdz.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crqz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crvd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3is32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3ll.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3rd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ieee.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iepp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ieuz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iewa32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ieym.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ieyu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipeg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipki32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipkv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iptx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javafq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javalq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javamu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javane.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javapu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javaqe.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javasr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcdi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcff.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcgm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcko.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcrw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msbb32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mseg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msfc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msft32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msij.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msop32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msqm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mswg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netkb32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\netkb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netlt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netyj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netzp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntbf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntdq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntke32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntvd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkdn.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkfj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkfp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkmd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkps32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkte32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkwm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkyl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysad32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysaw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syseg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syseh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syshj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysih32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syslh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysnn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syspk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysso.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addcb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addmo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addmx32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\addng32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addzf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apidp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apifb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apijc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apiln32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apipm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appbg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appen32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appjp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appme32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\appmm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appmw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appsa.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apptj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atldn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlgs32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atliq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\atlqp.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\atlvk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crby.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\crdi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crjj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crpr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crum32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crwj32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\crxj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crxz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3fp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3ok32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3pa32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3pv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3rc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3ts.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3uc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iebx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iees32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\ieia32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iemi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieqo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iera.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ievg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipaw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipbv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipky32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipnu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iptn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javaaa32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javaml.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javapc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javaqh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javass32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcat.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mfcat.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfclr32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\msdc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mskb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mslo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msnq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msou.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msow.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msxe.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msyq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msyw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mszm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netcg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netfk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netif32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\netjw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\nettb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netwt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netyf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntbt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntlg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntnf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntvo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntzz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\system32\sdkrp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysca.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysfo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysnn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\syspz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysvg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysxn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\wines.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\wines.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winle.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winlx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winnz.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\winoy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winwh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winzb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winzp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\wppp.html -> Spyware.PSGuard : Cleaned with backup
C:\WINDOWS\syszr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winbp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winhr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winkf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winko32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winny.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winow32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wintv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winxn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:eek:bqcy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:eek:fptg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:eek:qkfb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:eek:sqas -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:paopg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:pdbgy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:pgqep -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:pnzna -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:podav -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:qhagg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:qixty -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:qksmr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:qkzey -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:qskvvo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:qwnai -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:qzbpq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:radje -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:rqlgf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ryhcf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:shgro -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:soozz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ssdpa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:syazm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tcwzt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:tgtzp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:torxn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:tsqkl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:uefyf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:ukamg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:usbie -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:uudvo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:uvkxg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:uxwum -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vavxc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:vfxne -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:vsehm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:vupnkz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:whwjd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:wstjp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:wvjif -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:wwreh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:wycxq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:xgbww -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:xgnmma -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:xjnvm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:xwuvg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:xycbc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:xyhfi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:xyikv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:xznut -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:yebas -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:yfjne -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ygcqg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ylqmt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:yrthm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:yueyv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:ywnpv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:zclnn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:ziwvy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:zrnpy -> TrojanDownloader.Agent.bq : Cleaned with backup


::Report End
See less See more
Your HJT log appears to be taken from Safe Mode. I require your next log to be from Normal Mode

Something I overlooked from the previous log. You are using an outdated version of HiJackThis. Please click on the link below to download the latest version:
1. Delete your current HiJackThis.exe file
2. Double-click on the file you just downloaded.
3. Click on the "Unzip" button to install the newer version.
4. It will by default install to the directory - C:\PROGRAM FILES\HIJACKTHIS\

I require your next HJT log to be from this newer version


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Please download these additional files/programs. Do not run them untill instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

HSFix.zip


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next, reboot your computer in SafeMode :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :
  • AlertSpy

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Unzip HSfix.zip & double-click on HSfix.reg. Answer Yes when prompted to merge into the registry.

Double-click on ro.REG & answer YES when prompted to merge into the Registry


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Click Start->Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - Network Security Service (NSS)
  • Double-click on it to open the Properties dialog.
    • Stop the service by using the Stop button.
    • Change the Startup type to Disabled & then click on the OK button
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
  • In the popup box that appears, type in NSS & then click on the OK button

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {E13F3FF4-7686-8A2F-D80E-02A8DFA5DCF6} - C:\WINDOWS\addqy.dll
O4 - HKLM\..\Run: [mfcvs32.exe] C:\WINDOWS\mfcvs32.exe
O4 - HKLM\..\Run: [apivv32.exe] C:\WINDOWS\apivv32.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\syseg32.exe



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\Program Files\AlertSpy
    C:\DOCUMENTS AND SETTINGS\HAMISH CHARLES\FAVORITES\SITES ABOUT\
Locate and delete the following files:
  • C:\WINDOWS\sdkkg32.exe
    C:\WINDOWS\addqy.dll
    C:\WINDOWS\mfcvs32.exe
    C:\WINDOWS\apivv32.exe
    C:\WINDOWS\syseg32.exe
    C:\DOCUMENTS AND SETTINGS\HAMISH CHARLES\FAVORITES\Only sex website.url

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run CWShredder & click on Fix.

Run About Buster and click - Begin Removal.
Locate 'Ab LogFile.txt' (... in the same folder as AboutBuster) and post it in your next reply.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop

** Ewido scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE


Perform an online scan with Internet Explorer with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        • Standard
      • Scan Options:
        • Scan Archives
        • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


In your next post, please include fresh logs from:
  1. HiJackThis
    [*] Kaspersky scan
    [*] About Buster
    [*] Ewido
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
See less See more
1 - 5 of 5 Posts
Status
Not open for further replies.
Top