Another Sweepstakes.com Question[RESOLVED]


Recommended Posts

Hi,

I've never done this before so I hope I'm in the right place. I'm yet another person trying to remove sweepstakes.com wih no luck so far. I have run HiJackThis and the log file is below. Can anyone help??? I'm desparate!

Logfile of HijackThis v1.99.1

Scan saved at 12:39:56 PM, on 18/02/2006

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\Program Files\NavNT\vptray.exe

C:\winnt\system32\xau.exe

C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE

C:\program files\common files\system\ms1src.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\winnt\system32\owsyphaq.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT

F3 - REG:win.ini: run=c:\winnt\system32\cddrv32.exe

O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINNT\mslagent\4b_1,0,1,2_mslagent.dll (file missing)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [xau] c:\winnt\system32\xau.exe /nocomm

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe

O4 - HKLM\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe

O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3

O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [OWSYPHAQ] c:\winnt\system32\owsyphaq.exe /install

O4 - HKCU\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/

O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ervice_3_EN.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab

O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cab

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanks....

Link to post
Share on other sites

Hi,

Please download the Blaster.C removal tool from here, and save it to your desktop.

Close all windows and run "FixBlast.exe".

Click the "Start" button and let the tool run.

Reboot, and run the tool again.

Download Brute Force Uninstaller.

Unzip it to it’s own folder (e.g. c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (e.g. c:\BFU)

Copy the text below into notepad and save it to the desktop as findEGDA.vbs

Make sure "Save as Type" says "All files (*.*)"

Dim Wshshell, fso ,ts , R, ArrR ,i

Const ForReading = 1

Set Wshshell = Wscript.CreateObject("Wscript.Shell")

Set fso = Wscript.CreateObject("Scripting.FilesystemObject")

Wshshell.run "regedit /a /e runnow.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Do until fso.FileExists("runnow.txt")

Wscript.sleep 100

Loop

Set ts = fso.OpenTextFile("runnow.txt" ,ForReading)

Do while not ts.AtEndOfStream

R = ts.Readall

loop

ts.close

R = Replace(R, "\\", "\")

R = Replace(R, Chr(34), "")

ArrR = Split(R,vbcrlf)

For i = 0 to Ubound(ArrR)

F = Lcase(right(ArrR(i),6))

If F = "-start" Then

ArrR(i) = Replace(arrR(i), "-start" , "-uninstall")

ArrR(i) = Mid(ArrR(i),Instr(ArrR(i),"=") + 1)

MsgBox ArrR(i)

Wshshell.Run ArrR(i)

End IF

Next

Set ts = nothing

Set fso = nothing

set wshshell = nothing

Go to the desktop and double-click the file to run it. If you have a resident script blocker it may warn you about or stop the vbs script. Please allow it, it is harmless.

You will get a prompt looking like this

c:\windows\system32\random.exe -uninstall

Click OK to execute that command.

You will be prompted if you are sure you want to uninstall. Confirm.

After a little while you will get a prompt the application was removed.

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu

Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.

Press exit to terminate the BFU program.

Reboot and post a new HijackThis log.

Danny

Link to post
Share on other sites

Hi Danny,

Thanks for your quick reply. I followed your instructions but when I ran the vbs script it didn't give me the prompts you talked about. All I could see it do was create a file on the desktop called runnow.txt which I have pasted below.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Synchronization Manager"="mobsync.exe /logon"

"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"

"nwiz"="nwiz.exe /install"

"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"

"vptray"="C:\\Program Files\\NavNT\\vptray.exe"

"xau"="c:\\winnt\\system32\\xau.exe /nocomm"

"DSLAGENTEXE"="C:\\Program Files\\AAPT\\Adsl\\dslagent.exe"

"Cddrv32"="c:\\winnt\\system32\\cddrv32.exe"

"BO1HelperStartUp"="C:\\PROGRA~1\\BUTTER~1\\BO1HEL~1.EXE /partner BO1"

"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"AQ3HelperStartUp"="C:\\PROGRA~1\\AQUATI~1\\AQ3HEL~1.EXE /partner AQ3"

"ms1src"="c:\\program files\\common files\\system\\ms1src.exe /install"

"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

"OWSYPHAQ"="c:\\winnt\\system32\\owsyphaq.exe /install"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"

Anyhoo I pressed on with your instructions and got the following HiJackThis log.

Logfile of HijackThis v1.99.1

Scan saved at 06:58:43 PM, on 21/02/2006

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\Program Files\NavNT\vptray.exe

C:\winnt\system32\xau.exe

C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\program files\common files\system\ms1src.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT

F3 - REG:win.ini: run=c:\winnt\system32\cddrv32.exe

O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINNT\mslagent\4b_1,0,1,2_mslagent.dll (file missing)

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [xau] c:\winnt\system32\xau.exe /nocomm

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe

O4 - HKLM\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe

O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3

O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [OWSYPHAQ] c:\winnt\system32\owsyphaq.exe /install

O4 - HKCU\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/

O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ervice_3_EN.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab

O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cab

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

What now? Thanks again for your help - I really appreciate it.

Link to post
Share on other sites

Hi,

Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select
    • "Delete on Reboot
    • then Click on the "All Files" button.

    [*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

    c:\winnt\system32\xau.exe

    c:\winnt\system32\cddrv32.exe

    c:\program files\common files\system\ms1src.exe

    c:\winnt\system32\owsyphaq.exe

    [*] Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

    [*]Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt.

If your computer does not restart automatically, please restart it manually.

Please run HijackThis and click "Scan." Place checks next to the following entries (If Present):

F3 - REG:win.ini: run=c:\winnt\system32\cddrv32.exe

O2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINNT\mslagent\4b_1,0,1,2_mslagent.dll (file missing)

O2 - BHO: (no name) - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)

O4 - HKLM\..\Run: [xau] c:\winnt\system32\xau.exe /nocomm

O4 - HKLM\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe

O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install

O4 - HKLM\..\Run: [OWSYPHAQ] c:\winnt\system32\owsyphaq.exe /install

O4 - HKCU\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exe

O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ervice_3_EN.cab

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cab

O16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cab

Close all windows browsers except HijackThis, and click the "Fix Checked" button. Close HijackThis.

Please go HERE to run Panda's ActiveScan

  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Reboot and post a new HijackThis log as well as the ActiveScan Report.

Danny :thumbsup:

Link to post
Share on other sites

Hi Danny,

Here are the log files you requested. Thanks again for all your help.

Cheers,

Matt

Logfile of HijackThis v1.99.1

Scan saved at 07:40:46 PM, on 01/03/2006

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\MsgSys.EXE

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\program files\common files\system\ms1src.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe

O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Incident Status Location

Adware:Adware/Gator Not disinfected C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE

Adware:Adware/Gator Not disinfected C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE

Spyware:Spyware/Dluca Not disinfected C:\program files\common files\system\ms1src.exe

Adware:Adware/Gator Not disinfected C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE

Adware:Adware/Gator Not disinfected C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE

Adware:adware/navipromo Not disinfected C:\WINNT\SYSTEM32\Mservice.dll

Adware:adware/dluxde Not disinfected C:\PROGRAM FILES\linksw

Potentially unwanted tool:application/regclean32 Not disinfected C:\PROGRAM FILES\Registry Cleaner Trial

Adware:adware/gator Not disinfected C:\PROGRAM FILES\COMMON FILES\GMT

Spyware:spyware/dluca Not disinfected Windows Registry

Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}

Dialer:dialer.b Not disinfected HKEY_CLASSES_ROOT\Interface\{F8ACA5A0-060A-478A-8368-1407780D2251}

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@apmebf[1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@atdmt[2].txt

Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@qksrv[2].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@statcounter[1].txt

Spyware:Spyware/Dluca Not disinfected C:\!KillBox\ms1src.exe

Possible Virus. Not disinfected C:\!KillBox\xau.exe

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@apmebf[1].txt

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@atdmt[2].txt

Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@qksrv[2].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@statcounter[1].txt

Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\scottg@belnk[2].txt

Dialer:Dialer.Gen Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\dia6.exe

Dialer:Dialer.CE Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ICD1.tmp\netslv32.inf

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_124.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_208.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_21C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_26C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_384.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_398.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3B0.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3C8.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3D4.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3EC.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3F0.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3F8.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_418.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_424.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_444.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_45C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_464.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_470.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_478.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_484.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_488.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_504.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_50C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_510.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_514.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_518.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_51C.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_528.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_52C.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_534.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_538.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_53C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_540.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_544.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_548.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_54C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_550.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_554.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_558.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_55C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_560.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_564.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_568.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_56C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_570.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_574.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_578.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_57C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_580.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_584.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_588.tmp

Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_58C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_590.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_594.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_598.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_59C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5A4.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5A8.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5AC.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5B0.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5B4.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5B8.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5BC.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5C0.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5C8.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5CC.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5D4.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5D8.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5E8.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_608.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_60C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_62C.tmp

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ss596.exe

Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\wnk8cf.exe

Possible Virus. Not disinfected C:\Documents and Settings\Administrator\My Documents\Merrijig\blondes_au.exe

Adware:Adware/SLAgent Not disinfected C:\HJT\backups\backup-20060301-182840-992.dll

Potentially unwanted tool:Application/FunWeb Not disinfected C:\HJT\backups\backup-20060301-182841-421.inf

Adware:Adware/Gator Not disinfected C:\Program Files\Aquatica Waterworlds\AQ3Helper.exe

Adware:Adware/Gator Not disinfected C:\Program Files\Butterfly Oasis Screensaver\BO1Helper.exe

Adware:Adware/Gator Not disinfected C:\Program Files\Butterfly Oasis Screensaver\BO1Uninstaller.exe

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\CMEIIAPI.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GAppMgr.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GController.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GDwldEng.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GIocl.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GIoclClient.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GMTProxy.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GObjs.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GStore.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GStoreServer.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\Gtools.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\dlaerhjl\drtanjneaj\tanpcalhl.exe

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\dlaerhjl\fjlalbaa\lcnbcbed.exe

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\EGGCEngine.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\egIEEngine.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\EGIEProcess.dll

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\GatorStubSetup.exe

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\GMT.exe

Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\gtrawbm.fil

Spyware:Spyware/Dluca Not disinfected C:\Program Files\Common Files\System\ms1src.exe

Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll

Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\wclmaeyq.exe

Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\xkaruswm.exe

Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\xnsdbgke.exe

Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\ycjeqxlk.exe

Spyware:Spyware/Dluca Not disinfected C:\WINNT\system32\ydfyeoui.exe

Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\yrgwzhrl.exe

Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\zvfcerla.exe

Link to post
Share on other sites

Hi Ineedsanswers, I will be taking over for Danny as he will be out for a few days. Sorry for the delay.

Since it has been a while since your last post, lets run a few things.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download ewido anti-malware it is a free version of the program.

  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu

[*]Launch ewido, there should be an icon on your desktop, double-click it.

[*]The program will now open to the main screen.

[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

[*]You will need to update ewido to the latest definition files.

  • On the left hand side of the main screen click update.
  • Then click on Start Update.

[*]The update will start and a progress bar will show the updates being installed.

(the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.

ewido manual updates

Once the updates are installed do the following:

  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Now, please reply back with the Ewido Report, and a new HJT log.

Matt

Link to post
Share on other sites

Hi Matt,

Thanks for taking over from Danny, I really appreciate it. What you got me to do seemed to solve the problem - for now anyway, but I'll post the logs in case there is anything else you think I should do. Things like this sometimes seem to re-appear.

---------------------------------------------------------

ewido anti-malware - Scan report

---------------------------------------------------------

+ Created on: 06:59:16 PM, 16/03/2006

+ Report-Checksum: 4823F11

+ Scan result:

HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring -> Adware.NaviPromo : Cleaned with backup

HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring\CLSID -> Adware.NaviPromo : Cleaned with backup

HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring.1 -> Adware.NaviPromo : Cleaned with backup

HKU\S-1-5-21-484763869-299502267-839522115-500\Software\PrimeSoft -> Adware.SafeSearch : Cleaned with backup

HKU\S-1-5-21-484763869-299502267-839522115-500\Software\PrimeSoft\qsearch -> Adware.SafeSearch : Cleaned with backup

[1284] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE -> Adware.Gator : Cleaned with backup

[1360] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE -> Adware.Gator : Cleaned with backup

C:\!KillBox\ms1src.exe -> Downloader.Dluca.ci : Cleaned with backup

C:\HJT\backups\backup-20060301-182840-992.dll -> Downloader.Wintrim.ax : Cleaned with backup

C:\Program Files\Aquatica Waterworlds\AQ3Helper.exe -> Adware.Gator : Cleaned with backup

C:\Program Files\Butterfly Oasis Screensaver\BO1Helper.exe -> Adware.Gator : Cleaned with backup

C:\Program Files\Butterfly Oasis Screensaver\BO1Uninstaller.exe -> Adware.Gator : Cleaned with backup

C:\Program Files\Butterfly Oasis Screensaver\ButterflyOasis.exe -> Adware.GAINNetwork : Cleaned with backup

C:\Program Files\Common Files\CMEII\CMEIIAPI.dll -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\CMEII\GAppMgr.dll -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\CMEII\GController.dll -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\CMEII\GDwldEng.dll -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\CMEII\GIoclClient.dll -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\CMEII\GMTProxy.dll -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\CMEII\GObjs.dll -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\dlaerhjl\drtanjneaj\tanpcalhl.exe -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\dlaerhjl\fjlalbaa\lcnbcbed.exe -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\GMT\EGIEProcess.dll -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\GMT\GatorStubSetup.exe -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\GMT\GMT.exe -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\GMT\gtrawbm.fil -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\GMT\GUninstaller.exe -> Adware.Gator : Cleaned with backup

C:\Program Files\Common Files\System\ms1src.exe -> Downloader.Dluca.ci : Cleaned with backup

C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup

C:\WINNT\system32\ydfyeoui.exe -> Downloader.Dluca : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1

Scan saved at 07:06:33 PM, on 16/03/2006

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\MsgSys.EXE

C:\WINNT\Explorer.EXE

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\Program Files\NavNT\vptray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe

O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Link to post
Share on other sites

Welcome back! You're almost clean, just a few things left to do. :)

Scan with HJT and place a check next to the following items:

O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3

O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install

Then, make sure all browser windows and other applications are closed, and click the Fix Checked button.

Boot into Safe Mode:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in safe mode, find and delete the following folder:

C:\PROGRA~1\AQUATI~1\

Now, find and delete the following file:

c:\program files\common files\system\ms1src.exe

Reboot your computer normally, recan with HJT, and post a new log. :thumbsup:

Link to post
Share on other sites
  • 2 weeks later...
Reopened per User Request

Hi Matt,

Thanks for re-opening this topic. There has been no re-occurance of the problem but I've followed your instructions (somewhat belatedly) as requested. However I was unable to remove the file c:\program files\common files\system\ms1src.exe as it didn't seem to exist. I did the rest of the stuff though no probs. Here is the latest HJT log:

Logfile of HijackThis v1.99.1

Scan saved at 07:49:55 PM, on 04/04/2006

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\NavNT\defwatch.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\MsgSys.EXE

C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

C:\Program Files\NavNT\vptray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPT

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exe

O4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/

O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll

O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll

O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe

O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Link to post
Share on other sites

Congrats! Your log is clean! :thumbsup:

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. Firefox- Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera is good as well.
  2. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  3. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  4. SpywareBlaster - Great prevention tool to keep malware from installing on your system.
  5. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  6. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  7. ATF Cleaner - Cleans temporary files from web browsers, and much more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  8. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  9. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this guide on safer computing.

Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.