Tech Support banner

Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter · #1 ·
I've been dealing with Adware, Malware, Spyware, Viruses for the past week. I have gone step-by-step through the KRC Anti-Spyware Tutorial (very helpful by the way in getting rid of numorous issues) but I can't seem to kick this Hijacker.Generic bug which, according to Ewido is in C:\windows\system32\repairs.dll I have tried to delete it but it always says it's in use, and when I first boot up, I get 50+ hits with it trying to sign on--again according to Ewido. My system is extremely slow and I have to believe this is a contributing factor.

Here is my Hijackthis Analyzer log:
====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 8/4/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 2:37:18 PM, on 9/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\surfmonkey\smproxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll (file missing)
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O4 - Startup: QuickShelf 1994.lnk = C:\BOOKS94\QSHELF.EXE
O4 - Global Startup: HP OfficeJet Series 500 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\Bin\HPOstr05.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O20 - AppInit_DLLs: repairs.dll
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE


End of KRC HijackThis Analyzer Log.
====================================================================

Any assistance you can provide would be greatly appreciated.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
Go to Control Panel > Add/remove programs.
Tell me if you see an entry for Surf SideKick. Dont do anything about it yet. Just let me know.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #3 ·
No. I've been to add/remove programs and tried to get rid of SurfSideKick. It seems it all started with that, but I thought running the jobs in the KRC Anti-Spyware Tutorial had found and destroyed it.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
I cannot understand what you're saying. Is the entry there?
Do not try to uninstall it yet.

If it's not there, it will be recreated soon. Try browsing around a bit, this malware has regenerative characteristics. It will rebuild your previous failed attempt to uninstall it.
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #5 ·
No. I see no entry for SurfSideKick that I can get rid of in Add/Remove programs. I was getting attacked by it about a week ago and went through various programs to get rid of it. I stopped getting the pop-up adds "Brought to you by SurfSideKick..." after running one of those spyware products (I think it was Spybot S&D), but I keep getting "hits" from this Spyware.Hijacker.Generic thing. I haven't seen a SurfSideKick msg in about 3 days, and I've done plenty of reboots and other browsing, which I would have thought would have allowed it to regenerate by now.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
If it hasnt turned up by now, it should be gone. Let's fix the rest of the other entries present

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

CleanUp.exe - Install.

I need you to update Ewido again. Please go to this website - http://www.ewido.net/en/download/updates/
Download the full updated database (Approximately 3600 KB) & install it unto your copy of Ewido.


'UNPLUG'/DISCONNECT YOUR COMPUTER FROM THE INTERNET WHEN YOU HAVE FINISHED DOWNLOADING


This webpage would not be available when you're carrying out the fix. Please save the following instructions in Notepad. I have customed my instructions on the assumption that you are using Notepad. It may lead to some confusion should you choose to do otherwise.

If there's anything that you don't understand, kindly ask your questions before proceeding with the fixes. There should not be any opened browsers when you are carrying out the procedures below.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Next, please reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • SurfMonkey
    WeatherBug

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


CLOSE ALL OTHER PROGRAMS & ALL OPENED WINDOWS


Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R3 - Default URLSearchHook is missing
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll (file missing)
O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [stb] C:\WINDOWS\system32\stb.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O20 - AppInit_DLLs: repairs.dll



= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.
  • Tick - Show hidden files and folder
  • Untick - Hide file extensions for known types
  • Untick - Hide protected operating system files
Click Yes to confirm & then click OK

Locate and delete the following folders, if present:
  • C:\WINDOWS\surfmonkey\
    C:\Program Files\AWS\
Locate and delete the following files:
  • C:\WINDOWS\system32\stb.exe
    C:\WINDOWS\system32\repairs.dll
    C:\WINDOWS\system32\communicator.dll

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
    [*]Delete Newsgroup Subscriptions
    [*]Scan local drives for temporary files
4. Click OK
5. Press the CleanUp! button to start the program. Reboot/logoff when prompted.
* CleanUp! will not create any backups!!


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


REBOOT TO NORMAL MODE

Perform an online scan with Internet Explorer at one of the following sites:
Take note the names and locations of any file it detects but fails to clean.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


Download Trend Micro™ Anti-Spyware (by clicking the "Scan and Clean your PC" button).
  • Double-click the tmas-web-scan.exe icon
  • It will say "Loading TrendMicro definitions".
  • Click "Start Scan"
After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot your computer. I then need you to repeat the same procedure above again... using the TrendMicro tool. I need the log from the second scan/clean...NOT the first...as this will contain what’s left in the system.

In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.


= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =


In your next post, please include fresh logs from:
  1. HiJackThis
    [*] Online scan
    [*] Antispyware.log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
 

·
Registered
Joined
·
4 Posts
Discussion Starter · #7 ·
I followed your directions as suggested. I was not presented with the opportunity to Uninstall the programs SurfMonkey or WeatherBug via Add/Remove Programs. By using HiJAckThis I was able to "fix" several items, but recieved the following message related to one fix -- "An unexpected error has occurred at procedure: ModBackup-MakeBackup (sItem = 020 - AppInit_Dlls:repairs.dll) Error #5 - Invalid call or argument" The message also suggested sending an email with a copy of the HiJackThis scan log to an email address @ spywareinfo.com. Here is the most recent log:
Logfile of HijackThis v1.99.1
Scan saved at 7:27:21 PM, on 9/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: AutoTBar.exe
O4 - Startup: HP Organize.lnk = ?
O4 - Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP OfficeJet Series 500 Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37300.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I was able to delete the folders C:\WINDOWS\surfmonkey\ and C:\Program Files\AWS\ and the file C:\WINDOWS\system32\stb.exe. I was unable to find the file C:\WINDOWS\system32\communicator.dll and received the following error message when I tred to delete C:\WINDOWS\system32\repairs.dll -- "Cannot delete repairs: It is being used by another person or program. Close any programs that might be using the file and try again."

I ran Cleanup! and Panda ActiveScan which found nothing and Kaspersky Web Scanner found the following junk:

KASPERSKY ON-LINE SCANNER REPORT
Tuesday, September 13, 2005 22:02:13
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/09/2005
Kaspersky Anti-Virus database records: 140332
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 123977
Number of viruses found: 53
Number of infected objects: 111
Number of suspicious objects: 0
Duration of the scan process: 6093 sec

Infected Object Name - Virus Name
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\006C533D Infected: Trojan-Clicker.Win32.VB.ei
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\014B1611 Infected: Backdoor.Win32.Ruledor.e
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\031A539F Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\04E635BF Infected: Trojan.Win32.SecondThought.bg
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\05986E27 Infected: Trojan-Downloader.Win32.Dyfuca.dt
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\09B7231F Infected: Trojan-Downloader.Win32.Agent.br
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\09BB4D1B Infected: Trojan-Downloader.Win32.Small.ru
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\09BE7717 Infected: Trojan.Win32.SecondThought.bf
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\09C12114 Infected: Trojan.Win32.SecondThought.bg
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\09C8750D Infected: Trojan-Downloader.Win32.Qoologic.d
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\09CB1F09 Infected: Trojan.Win32.SecondThought.ao
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\09CE4905 Infected: Trojan.Win32.SecondThought.ao
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\09D17302 Infected: Trojan-Clicker.Win32.VB.ei
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0A6574FF Infected: Trojan-Dropper.Win32.SurfSide.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0A7B7A47 Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0A7F2443 Infected: Trojan-Downloader.Win32.Small.ya
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0A882239 Infected: Trojan-Downloader.Win32.TSUpdate.g
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0A8C4C35 Infected: Trojan-Downloader.Win32.Agent.br
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0B5A0278 Infected: Trojan-Downloader.Win32.Adload.e
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0C375B84 Infected: Trojan-Downloader.Win32.Agent.br
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0E782398 Infected: Trojan-Downloader.Win32.Qoologic.f
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0F986C2D Infected: Trojan-Downloader.Win32.Small.aco
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\0FB11662 Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\107771BD Infected: Trojan-Downloader.Win32.Qoologic.f
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\11427E72.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\197F2956 Infected: Trojan-Downloader.Win32.Envolo.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1A085F96 Infected: Trojan-Dropper.Win32.SurfSide.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\1A8C109A Infected: Trojan.Win32.VB.qn
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\221B6073 Infected: Trojan-Downloader.Win32.Agent.bt
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\22D2305C Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\22D55A58 Infected: Trojan-Downloader.Win32.Lookme.g
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\22D80454 Infected: Trojan-Downloader.Win32.Lookme.g
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\25EE4994 Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\27F83106/WISE0001.BIN Infected: Trojan-Downloader.Win32.TSUpdate.i
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\27F83106/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.g
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\27F83106/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.g
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\27F83106/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.h
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\27F83106/WISE0013.BIN Infected: Trojan-Downloader.Win32.TSUpdate.g
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\27F83106 Infected: Trojan-Downloader.Win32.TSUpdate.g
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2A030169 Infected: Trojan-Downloader.Win32.Agent.bt
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2D346327 Infected: Trojan-Downloader.Win32.Small.wj
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2E5014C2 Infected: Trojan-Downloader.Win32.Agent.bt
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2E8B3362 Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2EAA76AE Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\2FFD082E Infected: Trojan.Win32.StartPage.io
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\309737EB Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\30B10A73 Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\31B76ECA Infected: Trojan-Downloader.Win32.VB.ez
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\32B00456 Infected: Trojan-Downloader.Win32.TSUpdate.h
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\32CE6F7D Infected: Trojan-Clicker.Win32.VB.ei
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\338E1BC1 Infected: Trojan-Downloader.Win32.Agent.br
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\35034F79 Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\35243987.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3569496B Infected: Backdoor.Win32.Agent.co
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\3F1E57C0 Infected: Trojan.Win32.SecondThought.bf
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4101253B Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\41356C02 Infected: Trojan.Win32.SecondThought.ba
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4178163D.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\44BB1043 Infected: Trojan-Spy.Win32.Briss.e
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\44BE3A40 Infected: Trojan-Spy.Win32.Briss.j
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\44C1643C Infected: Backdoor.Win32.Ruledor.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\464B48E9 Infected: Trojan-Spy.Win32.Briss.i
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\48563DFE Infected: Trojan-Downloader.Win32.Agent.bt
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4AAE13BE Infected: Trojan-Downloader.Win32.Qoologic.d
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\4E7D5F1B Infected: Trojan-Dropper.Win32.Small.of
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\51450CD1 Infected: Trojan-Dropper.Win32.Small.mr
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\52FE00AE.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\53FC2D54 Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\56C313AC Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\57843487 Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5B3879DE Infected: Trojan-Downloader.Win32.Small.wj
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\5B8A1384 Infected: Trojan-Dropper.Win32.Small.mr
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\61725ED3 Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\617608D0 Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\61852439 Infected: Trojan-Downloader.Win32.Agent.br
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\61C46AF4 Infected: Trojan.Win32.SecondThought.ai
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\62534FAB Infected: Trojan-Downloader.Win32.Dyfuca.dc
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\69807B59 Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6BB62793 Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\6C7F4CF6 Infected: Backdoor.Win32.Ruledor.c
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\72A65A81 Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\75484EA2.exe/staff.html Infected: Trojan-Clicker.JS.Linker.j
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\75484EA2.exe/trofkz.REG Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\75484EA2.exe Infected: Trojan.WinREG.LowZones.a
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\77D21923 Infected: Trojan-Downloader.Win32.QDown.h
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\78B765F6 Infected: Trojan.Win32.SecondThought.ag
C:\Program Files\Norton SystemWorks\Norton Antivirus\Quarantine\795679C0 Infected: Trojan-Dropper.Win32.Small.of
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037390.EXE/stream/data0002/stream/data0007 Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037390.EXE/stream/data0002/stream Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037390.EXE/stream/data0002 Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037390.EXE/stream Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037390.EXE Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037392.EXE/stream/data0002/stream/data0007 Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037392.EXE/stream/data0002/stream Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037392.EXE/stream/data0002 Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037392.EXE/stream Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037392.EXE Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037396.EXE/stream/data0002/stream/data0007 Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037396.EXE/stream/data0002/stream Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037396.EXE/stream/data0002 Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037396.EXE/stream Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037396.EXE Infected: Trojan-Clicker.Win32.VB.ex
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037463.exe/archive comment Infected: Trojan.Win32.Favadd.f
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037463.exe Infected: Trojan.Win32.Favadd.f
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037563.exe Infected: Worm.Win32.Lovesan.a
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037564.exe Infected: Backdoor.Win32.SdBot.gen
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037565.EXE/data0002 Infected: Trojan-PSW.Win32.Agent.h
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP211\A0037565.EXE Infected: Trojan-PSW.Win32.Agent.h
C:\WINDOWS\njqlbx.exe_ Infected: Backdoor.Win32.Agent.cg
C:\WINDOWS\system32\drivers\etc\1.hosts Infected: Trojan.Win32.Qhost
C:\WINDOWS\system32\drivers\etc\hosts.20050911-135249.backup Infected: Trojan.Win32.Qhost.ci

Scan process completed.

I did not see an option to let the Kaspersky program fix or remove any of these items.

Finally, here is the Antispyware.log from the 2nd run of Trend Micro Anti-Spyware:

Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Internet URL Shortcuts
Files and Directories
Found 'delfinAF.edx' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinBD.edx' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinCO.edx' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinDL.edx' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinED.edx' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinID.edx' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinKY.edx' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinLD.edx' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinLO.ebd' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinSI.edx' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinST.ebd' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found 'delfinTG.ebd' in 'C:\Documents and Settings\All Users\Application Data\wsxs'
Found '' in 'C:\Program Files\Funcade'
Found '' in 'C:\Program Files\joystick networks'
Found '' in 'C:\Program Files\Lycos'
Found 'LSP.DLL' in 'C:\WINDOWS\system32'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinAF.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinAF.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinAF.edx'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinBD.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinBD.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinBD.edx'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinCO.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinCO.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinCO.edx'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinDL.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinDL.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinDL.edx'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinED.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinED.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinED.edx'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinID.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinID.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinID.edx'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinKY.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinKY.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinKY.edx'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinLD.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinLD.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinLD.edx'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinLO.ebd' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinLO.ebd' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinLO.ebd'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinSI.edx' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinSI.edx' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinSI.edx'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinST.ebd' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinST.ebd' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinST.ebd'
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinTG.ebd' in shortcut areas.
Checking for 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinTG.ebd' in startup areas.
Cleaning 'C:\Documents and Settings\All Users\Application Data\wsxs\delfinTG.ebd'
Checking for 'C:\Program Files\Funcade' in shortcut areas.
Checking for 'C:\Program Files\Funcade' in startup areas.
Cleaning 'C:\Program Files\Funcade'
Checking for 'C:\Program Files\Funcade\uninstall.exe' in shortcut areas.
Checking for 'C:\Program Files\Funcade\uninstall.exe' in startup areas.
Cleaning 'C:\Program Files\Funcade\uninstall.exe'
Checking for 'C:\Program Files\joystick networks' in shortcut areas.
Checking for 'C:\Program Files\joystick networks' in startup areas.
Cleaning 'C:\Program Files\joystick networks'
Checking for 'C:\Program Files\Lycos' in shortcut areas.
Checking for 'C:\Program Files\Lycos' in startup areas.
Cleaning 'C:\Program Files\Lycos'
Checking for 'C:\WINDOWS\system32\LSP.DLL' in shortcut areas.
Checking for 'C:\WINDOWS\system32\LSP.DLL' in startup areas.
[SCANMODS] WARNING: Deletion of the file 'C:\WINDOWS\system32\LSP.DLL' requires a reboot.
Cleaning 'C:\WINDOWS\system32\LSP.DLL'
[SCANMODS] WARNING: Deletion of the file 'C:\WINDOWS\system32\LSP.DLL' requires a reboot.
Finished Cleaning
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Internet URL Shortcuts
Files and Directories
Found 'LSP.DLL' in 'C:\WINDOWS\system32'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\WINDOWS\system32\LSP.DLL' in shortcut areas.
Checking for 'C:\WINDOWS\system32\LSP.DLL' in startup areas.
Finished Cleaning

In terms of how my computer is behaving...When I boot up I'm getting the following "Runner Error" message -- "Invalid BackWeb application id "137903"" When I click "Ok" the message goes away until the next time I reboot.

Each time I reboot, I am still getting approx. 50 hits, according to Ewido from Spyware.Hijacker.Generic i.e. C:\WINDOWS\system32\repairs.dll. It also seems to try a hit whenever I open a new file and often when I'm browsing and bring up a new site.
 

·
TSF Security Team, Emeritus
Joined
·
26,363 Posts
I notice that you have two anti-virus programs on your machine. That's not a good idea!! :4-thatsba
Alike firewalls, anti-virus programs have conflicts co-existing with each other & may produce undesirable results. Please uninstall one of them.

Have Hijackthis fix these:

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe


Locate & delete these files:

C:\WINDOWS\njqlbx.exe_
C:\WINDOWS\system32\drivers\etc\1.hosts
C:\WINDOWS\system32\drivers\etc\hosts.20050911-135249.backup


Please use Symantec's guide to remove the Quarantine files.


CLEAR & RESET SYSTEM RESTORE'S CACHE
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK


repairs.dll is the precise reason why I had you try look at the add/remove entry for Surf SideKick. This is the file associated with regenerating Surf SideKick.

There are alternate methods of fixing that repairs.dll entry but they bear some risk. As such, I would prefer to do it using the safer method which is from add/remove programs. From your last description, it would appear that Ewido is preventing repairs.dll from regeneration process.

Please disable Ewido's real-time scanner for the moment. You can re-enable it after you're clean.
To disable Ewido's real-time scanner:
  • Double click on the Ewido icon in system try
  • Click on the status button
  • Select Remove Guard

Reboot & repeat the surfing bit. Let's give it another chace to regenerate. :grin:
Post a new HJT log when it does..
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top