Owned by Spyware!! Please Help?

**spyware_victim** · 09-07-2006, 07:34 AM

Ok, I've been away on holiday and returned to find my brother has trashed my pc!

Internet explorer keeps getting errors and closing.
I can't run ad aware as it crashes! I've run spybot and got rid of a few items but know for definite that this log looks unbelievably wrong!

Can anyone tell me which entries to fix? Thanks guys!

Logfile of HijackThis v1.99.1
Scan saved at 13:17:21, on 09/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\internat.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\Toni\Local Settings\Temp\wzbfd6\HijackThis.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.phenology.org.uk/download/CfxIEAx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153904857656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37350.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...CabInstall.cab
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RA Server (Slave) - Unknown owner - C:\WINNT\Slave.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

**jholland1964** · 09-07-2006, 09:08 AM

know for definite that this log looks unbelievably wrong!

Can you tell me WHERE this log looks unbelievably wrong?
I see several items which should be cleaned but the log doesn't unbelievably wrong...

To begin with;
Update your anti-virus program.

Now, go to this link READ ME Before Posting A Request For Assistance!

Follow ALL the instructions there...be sure to Enable Hidden Files and Folders and read how to boot to SAFE MODE because you will be required to do many of these steps in SAFE MODE.

Download, install and update ALL of the programs that PP advises you to download, including Ewido and CCleaner. Update your AdAwareSE and Spybot. Make absolutely certain that you are running the latest versions of both of those programs. Do Not run any of those programs until your are in SAFE MODE.

Also, read AND FOLLOW his instructions for the proper location of HiJackThis. You are running it from a temp file. It MUST be located, and run from it's own file, not a temp file.

Follow all of PP's instructions in the link...including the running of the online scans, and THEN running the remaining programs in SAFE MODE.

Once you have completed ALL of his steps given please reboot to NORMAL MODE and run your newly located HiJackThis and save the log. Post that new log here along with the log from the Ewido Scan.
We will see where things stand after you have completed all of those steps.
Judy

**spyware_victim** · 09-07-2006, 11:43 AM

Thanks for replying so promptly.

OK, I've tried numerous times to reboot into safe mode but when windows starts up in safe mode the screen freezes and doesn't allow me to open anything. I had to restart with alt and f4 and try again with no luck.

I followed your instructions and downloaded ewido which deleted everything found apart from downloader agent uj - Googling tells me ewido won't be able to remove this?

Adaware still freezes and spybot found nothing.

R.E My predictions of log - I was referring to the slave.exe entry, I understand this is a remote access programme that shouldn't be there.

Here is my ewido log:

HKLM\SOFTWARE\Classes\Media-Codec.Chl -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Media-Codec.Chl\CLSID -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objecta\{f7d40011-29bb-43eb-9c97-875ce89e9e36} -> Adware.Generic : Cleaned with backup (quarantined).
[1004] VM_00D60000 -> Downloader.Agent.uj : Error during cleaning.
[1040] VM_006B0000 -> Downloader.Agent.uj : Error during cleaning.
[1052] VM_007D0000 -> Downloader.Agent.uj : Error during cleaning.
[1068] VM_007D0000 -> Downloader.Agent.uj : Error during cleaning.
[188] VM_00B40000 -> Downloader.Agent.uj : Error during cleaning.
[208] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning.
[748] VM_00840000 -> Downloader.Agent.uj : Error during cleaning.
[908] VM_00840000 -> Downloader.Agent.uj : Error during cleaning.
[984] VM_00850000 -> Downloader.Agent.uj : Error during cleaning.
[988] VM_00890000 -> Downloader.Agent.uj : Error during cleaning.
C:\Program Files\eMedia Codec -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld12AC.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld12E9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld13F3.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld148A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld1733.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld17DF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld1B1F.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld1B25.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld2037.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld21CA.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld226B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld239.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld2480.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld24B1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld25CB.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld2620.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld2785.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld27A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld27BA.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld289D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld29CD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld2B40.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld2BCD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld2C79.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld2E15.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld3155.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld31DC.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld3465.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld3485.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld3540.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld360B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld396A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld3A16.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld3CF8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld3D46.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld3DC6.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld3F1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld429C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4474.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld44FB.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld46E8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4715.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4794.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4828.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld495C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4AC4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4BF4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4D7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4D96.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4DFB.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4E14.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4EB0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld4FEE.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld5144.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld532E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld565E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld5786.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld5813.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld5842.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld5A43.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld5B91.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld5F6D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld608A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld62A0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld63A9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld64E3.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld664D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld675.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld67CF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld690F.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld695E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld698A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld6A40.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld6BA3.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld6C01.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld6CEB.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld6E0C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld6FCD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld70F6.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld71C7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld723F.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld74A9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld7507.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld7847.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld79CD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld7A79.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld7B5.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld7DA9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld7F2C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld81A4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld82F0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld84F1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld84F6.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld850C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8739.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8816.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld889B.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8961.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8B37.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8B46.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8C67.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8DF9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8E2F.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8E67.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8F13.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld8F9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld9020.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld9233.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld931E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld93B0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld96E0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld980E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld9837.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld9AAA.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld9C04.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ld9FD0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldA3DB.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldA536.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldA61.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldA6CF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldA775.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldA812.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldA9E0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldA9ED.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldAAA3.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldABF6.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldAD10.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldAD5E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldAE6F.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldB040.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldB159.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldB215.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldB489.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldB545.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldB589.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldB8C9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldBD6E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldBE1C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldBE56.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldC207.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldC3C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldC612.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldC77D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldC8A8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldCBB9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldCCBA.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldCCE9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldCE3D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldCEEA.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldCF85.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldD296.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldD381.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldD4F8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldD6D0.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldD763.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldD77C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldD85C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldD98.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldDA1.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldDB0D.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldDFE3.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldE043.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldE167.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldE1E9.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldE43E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldE5AD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldE82A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldEA41.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldEA62.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldEB5A.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldED93.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldEEE2.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldF093.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldF0D2.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldF1BC.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldF4DD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldF5A8.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldF6C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldF8F7.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldF93C.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldF9A4.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldFD23.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\1024\ldFDC1.tmp -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

Here is my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 17:39:17, on 09/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.phenology.org.uk/download/CfxIEAx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153904857656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37350.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...CabInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F6F117C-E815-4580-BA7D-846BC2968AE9}: NameServer = 85.255.115.6 85.255.112.20
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RA Server (Slave) - Unknown owner - C:\WINNT\Slave.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

**spyware_victim** · 09-07-2006, 12:56 PM

Ok, Ive read this http://www.5starsupport.com/ipboard/...php?t2144.html and run FixWareout which tells me this

Check for missing files
.....
C:\WINNT\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
please post this at the forum

Which looks ominous?

**jholland1964** · 09-07-2006, 01:29 PM

The location of the files that were removed by Ewido tells me you have NOT followed the instructions given in PP's thread because these files were tmp files. If you had run CCleaner before you began your other steps some of these at least should have been removed.

First click start, search, for files or folders then type autoexec.nt. Then click on the search now key. If you pull up an autoexec.nt file, check to see where that file is located. If the file is located at C:\winnt\repair all you have to do is copy that autoexec.nt file into the C:\\WINNT\SYSTEM32 files.

Can I ask you to do something? If you want help from here, can you just stick with here? But jumping all over to other forums and trying various fixes you can make things more complicated.
The FixWareOut is fine but by running various items before checking in here, it just makes the clean up that much harder.

You need to run HJT again and place checkmarks next to the following;
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKCU\..\Run: [internat.exe] internat.exe

O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spysp...CabInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F6F117C-E815-4580-BA7D-846BC2968AE9}: NameServer = 85.255.115.6 85.255.112.20

O23 - Service: RA Server (Slave) - Unknown owner - C:\WINNT\Slave.exe (file missing)
Once you have placed the checkmarks then click the FIX button.
Exit HJT.

Now please try again to boot to safe mode.
Run Ewido again, have it fix what it finds and save the log.
Reboot to Normal.
TURN OFF Ewido.
Run HJT again and save the log.
Post back here with the new HJT log and the new Ewido log.
Even if Ewido says it cannot fix something please just post that information back here. Don't take any other steps.
There WILL be other steps to take but lets take them in order as needed, not randomly.

**spyware_victim** · 09-07-2006, 02:55 PM

Sure thing, I appreciate that.

I still can't do anything whilst in safe mode - I have to ctrl alt & del and even then I get an error message saying internet explorer isn't responding. I dont understand this as I hadn't even opened internet explorer?

So edwido hasnt been run in safe.

I rebooted and run this hjt

Logfile of HijackThis v1.99.1
Scan saved at 20:50:01, on 09/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.phenology.org.uk/download/CfxIEAx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153904857656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37350.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F6F117C-E815-4580-BA7D-846BC2968AE9}: NameServer = 85.255.115.6 85.255.112.20
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RA Server (Slave) - Unknown owner - C:\WINNT\Slave.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

**jholland1964** · 09-07-2006, 03:15 PM

Are you saying you cannot get to Safe Mode? How are you trying to do it?
Please turn off Ewido in the background. Also check your TaskManager to see if you do see ieexplore.exe running when you have not enabled it.
Did you try any of the fixes with HJT?

**spyware_victim** · 09-07-2006, 03:33 PM

I can get it in safe mode by pressing f8 at menu, but when i login after it starts up, the desktop freezes not allowing me to click anything.

I fixed the entries you told me to yes.

Any ideas why it's freezing in safe mode?

**jholland1964** · 09-07-2006, 03:48 PM

You could try booting with "step by step confirmation" or whatever it translates to, (a form of safe mode), this way you can see on which exact thing it hangs, and not load that the next time.
Also, when you say it will not shut down because "internet explorer isn't responding" are you certain it isn't saying explore.exe is not responding?

Hey, just realized you did not post the FixWareOut log. Can we see that please? Also, when you ran FixWareOut is this what was done?
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

**spyware_victim** · 09-07-2006, 04:59 PM

Apologies, it was explorer.exe

For some reason it allowed me to run ewido in safe mode (after about 6 attempts) I rebooted and followed your last instructions

Logs as follows

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\1trap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\2trap
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmtqi.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe C:\WINNT\System32\CSEIX.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINNT\SYSTEM32\CSEIX.EXE 51,221 2006-08-08

Other suspects.
Directory of C:\WINNT\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

-----------

Logfile of HijackThis v1.99.1
Scan saved at 22:56:52, on 09/07/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX Internet Control) - http://www.phenology.org.uk/download/CfxIEAx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1153904857656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37350.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5F6F117C-E815-4580-BA7D-846BC2968AE9}: NameServer = 85.255.115.6 85.255.112.20
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RA Server (Slave) - Unknown owner - C:\WINNT\Slave.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thread: Owned by Spyware!! Please Help?

Thread Tools

Display

Owned by Spyware!! Please Help?

Thread Information

Users Browsing this Thread

Posting Permissions