Need help removing spyware

**Grav** · 04-04-2006

I ran all the programms mentioned in the instruction thread. however I still get pop-ups. I think it has to do with some dll file in my system 32 folder that adaware can't seem to delete and that seems to cyhange it's name everytime I reboot my computer. anyhow, here is the hijackthis log from my computer. any help is much appriciated since these pop-ups are really annoying.

Logfile of HijackThis v1.99.1
Scan saved at 15:44:35, on 4-4-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\windows\mousepad7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\MATLAB704\webserver\bin\win32\matlabserver.e xe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Gebruiker\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\l42slef71h2.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB704\webserver\bin\win32\matlabserver.e xe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

**Neal** · 05-04-2006

Welcome to DAL,

Let's get started by doing this:

Please download Look2Me-Remover.exe by Atribune to your desktop.

Close all windows before continuing.
Double-click Look2Me-Remover.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Remover will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Remover re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Remover will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Remover.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX

**Grav** · 05-04-2006

it seems the pop-ups stopped. my virus scanner prompted a while after I ran l2m though about some .dll trojan/virus trying to (re-)enter my computer or something.

the L2M log

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5-4-2006 8:34:11

Infected! C:\WINDOWS\system32\ktr2l79o1.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001278.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001291.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001300.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001301.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001318.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001324.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001349.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001362.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP17\A0002386.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002396.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002490.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002493.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002495.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002500.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002504.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002508.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002514.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002516.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002526.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002530.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002536.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002542.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002544.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002550.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002552.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002608.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002610.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002616.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002630.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002631.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002643.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002655.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002661.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002667.dll
Infected! C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002673.dll
Infected! C:\WINDOWS\system32\lvl0093me.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\ktr2l79o1.dll
C:\WINDOWS\system32\ktr2l79o1.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001278.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001278.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001291.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001291.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001300.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001300.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001301.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001301.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001318.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001318.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001324.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001324.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001349.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001349.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001362.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP16\A0001362.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP17\A0002386.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP17\A0002386.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002396.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002396.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002490.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002490.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002493.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002493.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002495.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002495.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002500.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002500.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002504.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002504.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002508.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002508.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002514.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002514.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002516.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002516.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002526.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002526.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002530.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002530.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002536.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002536.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002542.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002542.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002544.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002544.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002550.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP18\A0002550.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002552.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002552.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002608.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002608.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002610.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002610.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002616.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002616.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002630.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002630.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002631.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002631.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002643.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP19\A0002643.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002655.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002655.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002661.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002661.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002667.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002667.dll could not be deleted!

Attempting to delete: C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002673.dll
C:\System Volume Information\_restore{E95DB39A-3CDD-425B-8069-F192BE8B90C2}\RP20\A0002673.dll could not be deleted!

Attempting to delete: C:\WINDOWS\system32\lvl0093me.dll
C:\WINDOWS\system32\lvl0093me.dll could not be deleted!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\OptimalLayout

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{B80F1A5B-39C9-4F06-B70C-95620138BF61}"
HKCR\Clsid\{B80F1A5B-39C9-4F06-B70C-95620138BF61}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{0F157676-7929-42AE-BCB4-16409DA6C2D2}"
HKCR\Clsid\{0F157676-7929-42AE-BCB4-16409DA6C2D2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{B9E1D6A9-21F6-46EC-AAA8-22E1E31BF1B7}"
HKCR\Clsid\{B9E1D6A9-21F6-46EC-AAA8-22E1E31BF1B7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{8A905A2F-81B7-47BB-BB66-501FBC0B2BA7}"
HKCR\Clsid\{8A905A2F-81B7-47BB-BB66-501FBC0B2BA7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{DB3CE57E-F555-4C30-AAC5-A6020299372F}"
HKCR\Clsid\{DB3CE57E-F555-4C30-AAC5-A6020299372F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{1BEF49DB-71D3-4859-8DB5-B87118153E6E}"
HKCR\Clsid\{1BEF49DB-71D3-4859-8DB5-B87118153E6E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{CC865683-E505-4847-BE58-08DE97D085FC}"
HKCR\Clsid\{CC865683-E505-4847-BE58-08DE97D085FC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:38:32, on 5-4-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\MATLAB704\webserver\bin\win32\matlabserver.e xe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\windows\mousepad7.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Gebruiker\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB704\webserver\bin\win32\matlabserver.e xe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

**Neal** · 05-04-2006

Hi,

Create a folder such as C:\HJT or C:\Program Files\HJT and move HJT.exe into the newly created folder so we can have avaiable backups in case you fix the wrong thing or I make a mistake. Very important.

A lot of those files that were not deleted are under system restore and we will get rid of those as a last step only.

Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Post the log Ewido makes back here please.

**Grav** · 06-04-2006

I got this message after the scan, I don't know if thats correct, but just to be sure I didnt remove it

---------------------------------------------------------
ewido anti-malware - Scan rapport
---------------------------------------------------------

+ Gemaakt op: 19:12:23, 6-4-2006
+ Rapport samenvatting: 776BA7BD

+ Scan resultaten:

C:\Documents and Settings\Gebruiker\Cookies\gebruiker@2o7[2].txt -> TrackingCookie.2o7 : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Cookies\gebruiker@ad.yieldmanag er[1].txt -> TrackingCookie.Yieldmanager : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Cookies\gebruiker@banners.searc hingbooth[1].txt -> TrackingCookie.Searchingbooth : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Cookies\gebruiker@fastclick[2].txt -> TrackingCookie.Fastclick : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Cookies\gebruiker@media.top-banners[1].txt -> TrackingCookie.Top-banners : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Cookies\gebruiker@paypopup[1].txt -> TrackingCookie.Paypopup : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Cookies\gebruiker@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@2o7[1].txt -> TrackingCookie.2o7 : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@banners.searchingb ooth[2].txt -> TrackingCookie.Searchingbooth : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@com[1].txt -> TrackingCookie.Com : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@doubleclick[1].txt -> TrackingCookie.Doubleclick : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@media.top-banners[1].txt -> TrackingCookie.Top-banners : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@overture[1].txt -> TrackingCookie.Overture : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@stats1.reliablesta ts[1].txt -> TrackingCookie.Reliablestats : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@www.epilot[1].txt -> TrackingCookie.Epilot : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@www.myaffiliatepro gram[2].txt -> TrackingCookie.Myaffiliateprogram : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Cookies\gebruiker@zedo[2].txt -> TrackingCookie.Zedo : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\temp.fr16D9 -> Adware.Look2Me : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\temp.fr7C16 -> Adware.Look2Me : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\temp.fr9C92 -> Adware.Look2Me : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\temp.frBAAD -> Adware.Look2Me : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temp\Temporary Internet Files\Content.IE5\23MHIV8F\ErrorSafeScannerInstall NL[1].cab/UERSM_0001_N68M1602NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.d : Fout gedurende het schoonmake
C:\Documents and Settings\Gebruiker\Local Settings\Temporary Internet Files\Content.IE5\GX6T416L\adv470[1].htm -> Not-A-Virus.Exploit.HTML.Mht : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temporary Internet Files\Content.IE5\GX6T416L\install[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temporary Internet Files\Content.IE5\MZMJMDQ5\xpl[1].wmf -> Exploit.MS05-053-WMF : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temporary Internet Files\Content.IE5\STS3U1KH\AppWrap[1].exe -> Adware.AdURL : Schoongemaakt met een backup
C:\Documents and Settings\Gebruiker\Local Settings\Temporary Internet Files\Content.IE5\STS3U1KH\AppWrap[2].exe -> Adware.AdURL : Schoongemaakt met een backup
C:\WINDOWS\system32\ktr2l79o1.dll -> Adware.Look2Me : Schoongemaakt met een backup
C:\WINDOWS\system32\m2820cloefqc0.dll -> Adware.Look2Me : Schoongemaakt met een backup
C:\WINDOWS\system32\mwxml.dll -> Adware.Look2Me : Schoongemaakt met een backup
C:\WINDOWS\Temp\Cookies\gebruiker@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Schoongemaakt met een backup
C:\WINDOWS\Temp\Cookies\gebruiker@advertising[1].txt -> TrackingCookie.Advertising : Schoongemaakt met een backup
C:\WINDOWS\Temp\Cookies\gebruiker@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Schoongemaakt met een backup
C:\WINDOWS\Temp\Cookies\gebruiker@doubleclick[1].txt -> TrackingCookie.Doubleclick : Schoongemaakt met een backup
C:\WINDOWS\Temp\Cookies\gebruiker@paypopup[2].txt -> TrackingCookie.Paypopup : Schoongemaakt met een backup
C:\WINDOWS\Temp\Cookies\gebruiker@serving-sys[2].txt -> TrackingCookie.Serving-sys : Schoongemaakt met een backup
C:\WINDOWS\Temp\Cookies\gebruiker@statcounter[1].txt -> TrackingCookie.Statcounter : Schoongemaakt met een backup
C:\WINDOWS\Temp\Cookies\gebruiker@stats1.reliables tats[1].txt -> TrackingCookie.Reliablestats : Schoongemaakt met een backup
C:\WINDOWS\Temp\Cookies\gebruiker@zedo[1].txt -> TrackingCookie.Zedo : Schoongemaakt met een backup

::Einde rapport

I Got Dutch setting, but given the nature of the rapport that shouldn't be much of a problem. If for some reason it is I'm happy to translate the few Dutch words that are in it though.

Schoongemaakt met een backup=cleaned with a backup

**Neal** · 06-04-2006

Thank you for the translation, I kind of figured that is what that meant. Everything Ewido found can be removed.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All except cookies
Click the Empty Selected button.
=============================================
If you use Firefox Browser

Click Firefox at the top and choose: Select All except cookiesl
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

=============================================
If you use Opera browser

Click Opera at the top and choose: Select All except cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

=============================================

Reboot and give me a new hijackthis log please, more to do. Thanks

**Grav** · 06-04-2006

Logfile of HijackThis v1.99.1
Scan saved at 20:31:38, on 6-4-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\MATLAB704\webserver\bin\win32\matlabserver.e xe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB704\webserver\bin\win32\matlabserver.e xe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

**Neal** · 06-04-2006

OK here we go,

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5

Run hijackthis and click on scan button and put checks next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard7.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad7.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname7.exe

Make sure nothing is open but hijackthis and click on fix checked.

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete if present:

C:\windows\keyboard7.exe < file
C:\windows\mousepad7.exe < file
C:\windows\newname7.exe < file

Empty recycle bin and reboot normal mode and tell me how your computer is running now and post a new hijackthis log please. Thanks.

**Grav** · 06-04-2006

Well, my computer seems to be running fine, no abnormalities so far. cpu usage is down to a steady 0%. the bar in file exchange (in the ctrl ald del menu thingy) however is like a constant around 300 mb. I don't know if thats normal.

heres the log

Logfile of HijackThis v1.99.1
Scan saved at 21:58:11, on 6-4-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\MATLAB704\webserver\bin\win32\matlabserver.e xe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Norton] C:\Program Files\ASUS\WLAN Card Utilities\NorExec.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\Program Files\MATLAB704\webserver\bin\win32\matlabserver.e xe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

**Neal** · 06-04-2006

Let's do this just in case we did not get all the Alcan worm.

Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "BFU"

Please download Brute Force Uninstaller.
Unzip it to its own folder (c:\BFU)

Next, RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Do not run the Uninstaller and the Remover yet.

Please reboot into Safemode:
Turn on the computer.
Immediately begin tapping the F8 key (or F5 on some computers)
Use the arrow keys to highlight Safe Mode and press the Enter key.

*Click on Ewido>Scanner
Then select "Settings"
Under the bottom section "What to Scan?" make sure "Scan every file" is checked.
Select "OK" and you will return to scanning options.
*Click on Complete System Scan and the scan will begin.

When the scan finishes, click on "Save Report". This will create a text file.
** Make sure you know where to find this file again. The best place to save it would probably be your Desktop.
Now close Ewido Anti Malware.

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do its job.

Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.

Also I notice you probably have something in msconfig turned off, was it something not malware related.

How is she behaving now?

Need help removing spyware

Need help removing spyware

Similar Threads

removing txt in pdf

I picked some spyware/virus/trojan and need help removing it!

Microsoft Anti-Spyware=IE Spyware!

removing xp

Help with removing HSA and Only The Best pop up