hey y'all, i'm trying to help fix my friends pc, it been acting up on the internet and i was trying to clean it up for him, it's currently not hooked up to the internet, but i've ran adaware and spybot S&D, here's the hijack log, thanks:

Logfile of HijackThis v1.99.1
Scan saved at 12:47:38 PM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Messenger\msmsgs.exe
E:\WINDOWS\DvzCommon\DvzMsgr.exe
E:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Palm\HOTSYNC.EXE
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abstract-entertainment.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (obfuscated)
O1 - Hosts: 3510794929 auto.search.msn.com
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &AIM Search - res://E:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://E:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - E:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me.../bridge-c5.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.aavalue.com/rr/...rr-toolbar.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.aim.com/ygp/aol/pl...IM.9.5.1.8.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} - http://tb.searchitquick.com/v30/siq.cab
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Workstation NetLogon Service (�%AF夶À¨) - Unknown owner - E:\WINDOWS\atlwc32.exe (file missing)

HI,


Download and install both programs and run both of them in safe mode explained below. Thanks.


Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.



Please download, install, and update the NEW free version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

From the main ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful")

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Post the log Ewido makes back here please and a new hijackthis log. Thanks.








Please download WebRoot SpySweeper from HERE (It's a 14-day trial):

* Click Download Now to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply along with a fresh HJT log.

ok, i have downloaded both programs and installed them, but i am not able to update the ewido trojan scanner, it just says connecting to update and stays @ 0%.

as for the webroot spysweeper, it will not let me open the application, it keeps saying an error ocurred in the application

thanks

Hi,


Go to start >run and type: services.msc and click OK
Scroll down in that list and look if the following services are present:

Network Security Service (NSS)
Remote Procedure Call (RPC) Helper
Workstation NetLogon Service---this one is there for sure

Please make sure it is exactly the same written as above, because there are also legit services that look very much the same as the ones above, so please choose the right one!! For example, there's also a legit service called Remote Procedure Call (RPC), without the word Helper in it. That is a good one, so please don't select that one.

Doubleclick on the service(s). In the window that will appear, click on "Stop" (if not greyed out) and change the Startup Type to disabled.
Click apply and OK and close all open windows.


Do that for each one of them if present


Then..


Run HijackThis -> config -> misc tools -> delete an NT service
In the box, type or copy/paste : Workstation NetLogon Service
then ok.


Do the same for the others if there.



Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.


run hijackthis and click on scan button and put checks next to these.


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (obfuscated)
O1 - Hosts: 3510794929 auto.search.msn.com

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...e/bridge-c5.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://reciperewards.aavalue.com/rr.../rr-toolbar.cab
O16 - DPF: {DAB941D8-BC94-4819-AB4D-5598C65FA3FE} - http://tb.searchitquick.com/v30/siq.cab

O23 - Service: Workstation NetLogon Service (�%AF夶À¨) - Unknown owner - E:\WINDOWS\atlwc32.exe (file missing)


Make sure nothing is open but hijackthis and click on fix checked.


Still in safe mode.


Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


DELETE FILES:

E:\WINDOWS\atlwc32.exe


Reboot normal mode and try the scans again, run Ewido without updateing if needed.

Ok, i did run: service.msc and only found the Workstation NetLogon Service, it is now stopped and disabled, but when i run hijack this and delete NT service for Workstation NetLogon Service it says it's not found in the registry....do you want me to continue on with the following steps with hijack this...

Thanks,

Earl

Yes please continue. Thanks.

ok ewido scan completed and new hijack this log, unable to update ewido and spy sweeper still will not run application:

Logfile of HijackThis v1.99.1
Scan saved at 5:59:58 AM, on 6/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\DvzCommon\DvzMsgr.exe
E:\Program Files\Palm\HOTSYNC.EXE
E:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fluidgroove.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (obfuscated)
O1 - Hosts: 3510794929 auto.search.msn.com
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Palm\HOTSYNC.EXE
O8 - Extra context menu item: &AIM Search - res://E:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://E:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - E:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.aim.com/ygp/aol/pl...IM.9.5.1.8.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O19 - User stylesheet: E:\WINDOWS\stsheets.dat
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:43:03 AM, 6/10/2006
+ Report-Checksum: 609B993B

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00000001-C003-4A2F-9142-7CB1D78DE6C1} -> Adware.InternetOptimizer : Ignored
HKLM\SOFTWARE\Classes\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187} -> Adware.Generic : Ignored
HKLM\SOFTWARE\Classes\CLSID\{F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} -> Adware.Generic : Ignored
C:\Documents and Settings\Eupie Namocatcat\Cookies\eupie namocatcat@2o7[1].txt -> TrackingCookie.2o7 : Ignored
HKLM\SOFTWARE\Classes\CLSID\{0DD6DF67-E153-DF83-F668-96227EBA767C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3D782BB3-F2A5-11D3-BF4C-000000000000} -> Adware.ActivShopper : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7B30E423-F515-4FA4-3E7D-E7674D2337E3} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C3D1ED9E-9B11-B261-24E2-872B4D9DCD06} -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1993962763-73586283-839522115-1003\Software\_siq -> Adware.Begin2Search : Cleaned with backup
C:\Documents and Settings\Eupie Namocatcat\Cookies\eupie namocatcat@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Eupie Namocatcat\Cookies\eupie namocatcat@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Eupie Namocatcat\Cookies\eupie namocatcat@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Eupie Namocatcat\Cookies\eupie namocatcat@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Eupie Namocatcat\Cookies\eupie namocatcat@webstat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Eupie Namocatcat\Cookies\eupie namocatcat@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Eupie Namocatcat\Cookies\eupie namocatcat@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Eupie Namocatcat\Cookies\eupie namocatcat@www.web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\ed.exe -> Dropper.Agent.mm : Cleaned with backup
C:\Program Files\Cxtpls\Cxtpls.dll -> Adware.Apropos : Cleaned with backup
C:\Program Files\Cxtpls\uninstaller.exe -> Adware.Apropos : Cleaned with backup
C:\Program Files\Cxtpls\WinGenerics.dll -> Adware.Apropos : Cleaned with backup
C:\q.exe -> Downloader.Apher : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\mp3.ocx -> Downloader.Agent.ex : Cleaned with backup
C:\WINDOWS\SSK_B5.EXE -> Dropper.SurfSide.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\akcore.dll -> Adware.Coreak : Cleaned with backup
C:\WINDOWS\SYSTEM32\aklsp.dll -> Downloader.Agent.br : Cleaned with backup
C:\WINDOWS\SYSTEM32\akrules.dll -> Downloader.Agent.bt : Cleaned with backup
C:\WINDOWS\SYSTEM32\akupd.dll -> Downloader.Agent.br : Cleaned with backup
C:\WINDOWS\SYSTEM32\BO2801040128.dll -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\BO2809040510.exe -> Adware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM32\calsp.dll -> Downloader.Agent.br : Cleaned with backup
C:\WINDOWS\SYSTEM32\casync.dll -> Adware.Couponage : Cleaned with backup
C:\WINDOWS\SYSTEM32\Msbb321.dll -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\siae3123.exe -> Dropper.Small.sc : Cleaned with backup
C:\WINDOWS\SYSTEM32\SWRT01.dll -> Adware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\Temp\auf0.exe -> Downloader.Apropo.al : Cleaned with backup
E:\Documents and Settings\E-Venus\Cookies\e-venus@abetterinternet[1].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
E:\Documents and Settings\E-Venus\Cookies\e-venus@cliks[1].txt -> TrackingCookie.Cliks : Cleaned with backup
E:\Documents and Settings\Eupie\Cookies\eupie@abetterinternet[2].txt -> TrackingCookie.Abetterinternet : Cleaned with backup
E:\Documents and Settings\Eupie\Cookies\eupie@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
E:\Documents and Settings\Eupie\Cookies\eupie@bestoffersnetworks[2].txt -> TrackingCookie.Bestoffersnetworks : Cleaned with backup
E:\Documents and Settings\Eupie\Cookies\eupie@cliks[2].txt -> TrackingCookie.Cliks : Cleaned with backup
E:\Documents and Settings\Eupie\Cookies\eupie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
E:\Documents and Settings\Eupie\Local Settings\Temp\4.tmp -> Adware.WinShow : Cleaned with backup
E:\Documents and Settings\Eupie\Local Settings\Temp\4.tmp.exe -> Adware.WinShow : Cleaned with backup
E:\Documents and Settings\Owner\Cookies\owner@com[1].txt -> TrackingCookie.Com : Cleaned with backup
E:\Documents and Settings\Owner\Local Settings\Temp\582.tmp\thnall1z.exe -> Adware.BetterInternet : Cleaned with backup
E:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
E:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@marthastewart.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
E:\Documents and Settings\Owner\Local Settings\Temp\Cookies\owner@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
E:\Documents and Settings\Owner\Local Settings\Temp\pmt.exe -> Downloader.Small.bke : Cleaned with backup
E:\Program Files\TBONAS\TBONcomp.dll -> Adware.ActivShopper : Cleaned with backup
E:\Program Files\TBONAS\TBONlchr.dll -> Adware.ActivShopper : Cleaned with backup
E:\System Volume Information\_restore{44CBE810-B63E-4057-8931-E31E6CD4E890}\RP485\A0170108.EXE -> Adware.Bestofer : Cleaned with backup
E:\System Volume Information\_restore{44CBE810-B63E-4057-8931-E31E6CD4E890}\RP573\A0174918.dll -> Downloader.Agent.jb : Cleaned with backup
E:\System Volume Information\_restore{44CBE810-B63E-4057-8931-E31E6CD4E890}\RP573\A0174919.dll -> Downloader.Agent.jb : Cleaned with backup
E:\System Volume Information\_restore{44CBE810-B63E-4057-8931-E31E6CD4E890}\RP573\A0174920.exe:gmfvc -> Downloader.Agent.bq : Cleaned with backup
E:\System Volume Information\_restore{44CBE810-B63E-4057-8931-E31E6CD4E890}\RP573\A0174921.exe -> Downloader.Agent.bq : Cleaned with backup
E:\WINDOWS\dinst.exe -> Adware.BetterInternet : Cleaned with backup
E:\WINDOWS\Downloaded Program Files\mp3.ocx -> Downloader.Agent.ex : Cleaned with backup
E:\WINDOWS\svcproc.exe -> Adware.BetterInternet : Cleaned with backup
E:\WINDOWS\system32\siq.dll -> Adware.HotSearchBar : Cleaned with backup
E:\WINDOWS\tct101.dll -> Downloader.Dyfuca.eg : Cleaned with backup
E:\WINDOWS\thin-114-1-x-x.exe -> Adware.BetterInternet : Cleaned with backup


::Report End

Hi,


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.


Also re-run Ewido after the above and post the log


Then...



Open Hijackthis.

Click the "Open the Misc Tools" section Button.

Click the "Open Uninstall Manager" Button.

Click the "Save list..." Button.

Save it to your desktop. Copy and paste the contents into your reply.

Logfile of HijackThis v1.99.1
Scan saved at 10:07:46 AM, on 6/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\Program Files\ewido anti-malware\ewidoctrl.exe
E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\DvzCommon\DvzMsgr.exe
E:\Program Files\Palm\HOTSYNC.EXE
E:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fluidgroove.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm (obfuscated)
O1 - Hosts: 3510794929 auto.search.msn.com
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: DataViz Messenger.lnk = E:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://E:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://E:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - E:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by23fd.bay23.hotmail.msn.com/...s/MsnPUpld.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/download...1/axofupld.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} - http://pictures04.aim.com/ygp/aol/pl...IM.9.5.1.8.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O19 - User stylesheet: E:\WINDOWS\stsheets.dat
O20 - Winlogon Notify: igfxcui - E:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - E:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



here's the other log.txt file:

Log of AproposFix v1.1

************

Running from directory:
E:\Documents and Settings\Owner\Desktop\aproposfix

************



Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!


I'm running ewido now i'll post the log after it's completed. I will also past the contents of the save list when completed. Thanks.