I Need some serious help. I have a popup that arrives on screen from allsexsms.com - it has no scroll bar or any way of closing it it. I appears when you open IE. I have trace part to my local folder in settings and documents where it installs a prog call mmmmm.exe, there is a temp folder there also called -zctemp which on contains a file -z0000 . If you try to delete these files they just keep coming back. Someone please help I am tearing my hair out.

TROGG

Email address removed by HKEd

Hi trogg...I removed your email address as there are spam bots that harvest addresses from open sites. We provide help on the forums here, not via email.

Your system has picked up some kind of spyware/adware infection. Click here and read the tutorial on posting a HijackThis log. It will show us exactly what the source of the problem is.

Thanks

Here is the contents from my scan.


thanks regards

Trogg

Logfile of HijackThis v1.97.7
Scan saved at 21:25:31, on 11/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WIZZ\dazzler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\spool\drivers\w32x86\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\VEXPLITE\MONLITE.EXE
C:\PROGRA~1\ashampoo\ASHAMP~2\PopUpKiller.exe
C:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\Program Files\Warez P2P Client\warez.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\rdspress.exe
C:\Program Files\Secretmaker\secretmaker.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\pdtsauc.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ZipCentral\ZCentral.exe
C:\DOCUME~1\Derek\LOCALS~1\Temp\_ZCTmp.Dir\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {31E316DA-D7AD-5C5B-1F67-B06C54DF6854} - C:\DOCUME~1\Derek\APPLIC~1\EXTRAI~1\SlowSurf.exe
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ashampoo\ASHAMP~2\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - HKLM\..\Run: [mctask] C:\WINDOWS\system32\mctask.exe /allservice
O4 - HKLM\..\Run: [eTrust Realtime Monitor] C:\WINDOWS\system32\realmon.exe /start
O4 - HKLM\..\Run: [REAL] C:\Program Files\REAL\realjbox.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SHA256] C:\Program Files\SHA256\secure.exe
O4 - HKLM\..\Run: [WIZZ] C:\Program Files\WIZZ\dazzler.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [zinreks] C:\WINDOWS\system32\pdtsauc.exe r
O4 - HKLM\..\Run: [Wipe cake long roam] C:\Documents and Settings\All Users\Application Data\bird online wipe cake\size move.exe
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\ashampoo\ASHAMP~2\PopUpKiller.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Zw5mRjf3T] rdspress.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [Tray draw] C:\DOCUME~1\Derek\APPLIC~1\DOESDA~1\WIN SPAM SIZE.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/minicl...pGameLoader.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Ugh!!! New.Net, LOP and Aurora and assorted worms and trojans. Nice combination. That's what you get for using Warez.

Aurora is the most serious infection, but New.Net has corrupted your internet connection. You need to uninstall it from Add/Remove Programs and reboot. If it's not listed in Add/Remove Programs, use this uninstaller:

http://www.new.net/support/uninstall6_76.exe

Then use this LOP uninstaller:

http://www.thespykiller.co.uk/files/lopremover.exe

Reboot afterwards.

Next, to deal with the Aurora infection, download the trial version of Ewido Security Suite. Check for updates after installation, but don't use it yet.

Boot to safe mode using either of the methods described here.

Run a full system scan with Ewido and have it clean or quarantine everything it finds. At the end of the scan, Ewido generates a log. Save it and post the contents in your reply along with a fresh HijackThis log.

BTW, despite Angoid's instructions, HijackThis.exe is in a temp location. You must create a new folder for it before using it.

Please follow the above instructions exactly and in the order posted. These are very serious infections.

Many Thanks - I could note beleive how many infections I had on machine. Is Ewido Security the best softwear to buy, I am running PC-cillin at the moment and trying out VIRIT-LT.

Here are the logs from the scans.







---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 08:59:15, 12/08/2005
+ Report-Checksum: 18E7FA67

+ Scan result:

HKLM\SOFTWARE\AKSoft -> Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\AKSoft\X-Tractor -> Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DD521A1D-1F98-11D4-9676-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4A2AACF1-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A42C0EF4-1C76-43CC-989F-EADC7E4B755D} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{DD521A1C-1F98-11D4-9676-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKLM\SOFTWARE\Classes\LocalNRDDll.LocalNRDDllObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\LocalNRDDll.LocalNRDDllObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\LocalNRDDll.LocalNRDDllObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res\WToolsB.ResProtocol -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Radio.RadioPlayer -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Radio.RadioPlayer\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd\Clsid -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{3FA866AC-40D7-4FE6-BABF-78EE854A4325} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{DD521A10-1F98-11D4-9676-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKLM\SOFTWARE\Igor V. Gunko -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Modules -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C} -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C}\Ctx -> Spyware.HyperBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\msbb -> Spyware.180Solutions : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Parameters -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Security -> Spyware.WebSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc\Enum -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Igor V. Gunko -> Spyware.HyperBar : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Igor V. Gunko\Hyperbar -> Spyware.HyperBar : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Igor V. Gunko\Hyperbar\Prod -> Spyware.HyperBar : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C} -> Spyware.HyperBar : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Igor V. Gunko\Hyperbar\Prod\{4B2F5308-2CB0-40E2-8030-59936ED5D22C}\Ctx -> Spyware.HyperBar : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E} -> Spyware.CometCursor : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Microsoft\Internet Explorer\Explorer Bars\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76} -> Spyware.CometCursor : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup
HKU\S-1-5-21-299502267-573735546-839522115-1004\Software\msbb -> Spyware.180Solutions : Cleaned with backup
[1660] VM_00B50000 -> Adware.BetterInternet : Error during cleaning
[1936] C:\WINDOWS\system32\wpvhuck.exe -> Trojan.Agent.cp : Cleaned with backup
C:\Documents and Settings\All Users\Documents\shedder hijack\hijakthis\backups\backup-20050120-105121-950.dll -> TrojanDownloader.OTXloader : Cleaned with backup
C:\Documents and Settings\All Users\Documents\shedder hijack\hijakthis\backups\backup-20050120-105122-650.dll -> Spyware.Retro64 : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Derek\ln_reco_before.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Derek\Local Settings\Temporary Internet Files\Content.IE5\8DQNODQB\thnall2r[1].exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Derek\Local Settings\Temporary Internet Files\Content.IE5\NRUHOTSF\uninstall6_76[1].exe -> Spyware.NewDotNet : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@ads.specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@ads18.bpath[1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@adviva[1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@c.porngraph[1].txt -> Spyware.Cookie.Porngraph : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@clickagents[1].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@commission-junction[1].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter1.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter10.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter11.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter12.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter13.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter14.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter15.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter16.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter2.hitslink[1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter2.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter3.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter4.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter5.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter6.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter7.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter8.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@counter9.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@cz8.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@ehg-bskyb.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@ehg-info.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@ehg-reunion.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@hestia.sextrail.trakkerd[2].txt -> Spyware.Cookie.Trakkerd : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@hg1.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@offshoreclicks[1].txt -> Spyware.Cookie.Offshoreclicks : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@realmedia[1].txt -> Spyware.Cookie.Realmedia : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@sexlist[2].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@tribalfusion[3].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@w101.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@w111.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@w118.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@w128.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@web4.realtracker[1].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@xxxtoolbar[2].txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\derek@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@a.as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\trogg\Cookies\trogg@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Program Files\Common Files\crnlreef\cfrpdcaqsn\msfstuutr.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\crnlreef\eedpfpsd\qmfutpoa.exe -> Adware.Gator : Cleaned with backup
C:\WINDOWS\avmjxyy.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\1025972.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\1036023.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gvx143u0s14m_wall.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gvx143uts7m_wall.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ukgolwla3x.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\localNRD.dll -> Spyware.BiSpy : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\ln_reco.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\rdspress.exe -> TrojanDownloader.Agent.ro : Cleaned with backup
C:\WINDOWS\system32\stmtreco.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\derek@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\derek@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Videogames.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\windcpe.exe -> TrojanDownloader.Small.no : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@ads.specificpop[2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@ads18.bpath[1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@adviva[1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@as1.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@c.porngraph[1].txt -> Spyware.Cookie.Porngraph : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@clickagents[1].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@commission-junction[1].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter1.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter10.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter11.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter12.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter13.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter14.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter15.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter16.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter2.hitslink[1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter2.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter3.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter4.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter5.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter6.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter7.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter8.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@counter9.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@cz8.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@ehg-bskyb.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@ehg-info.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@ehg-reunion.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@findwhat[1].txt -> Spyware.Cookie.Findwhat : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@hestia.sextrail.trakkerd[2].txt -> Spyware.Cookie.Trakkerd : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@hg1.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@offshoreclicks[1].txt -> Spyware.Cookie.Offshoreclicks : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@realmedia[1].txt -> Spyware.Cookie.Realmedia : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@sexlist[2].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@spylog[1].txt -> Spyware.Cookie.Spylog : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@tribalfusion[3].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@w101.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@w111.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@w118.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@w128.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@web4.realtracker[1].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@xxxtoolbar[2].txt -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup
G:\Documents and Settings\Derek\Cookies\derek@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
G:\Documents and Settings\Derek\Local Settings\Temporary Internet Files\Content.IE5\9TXG7RFO\SkyLopez[1].exe -> Dialer.Generic : Cleaned with backup
G:\Documents and Settings\Derek\Local Settings\Temporary Internet Files\Content.IE5\I9SBIXU5\rotate[1].js -> Spyware.BookedSpace : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@7search[2].txt -> Spyware.Cookie.7search : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@ads.specificpop[1].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@as-us.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@bfast[1].txt -> Spyware.Cookie.Bfast : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@bs.serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@clickagents[1].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@free.wegcash[2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@ilead.itrack[2].txt -> Spyware.Cookie.Itrack : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@mediatrack.revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@programs.wegcash[1].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
G:\Documents and Settings\Rowan\Cookies\rowan@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
G:\Documents and Settings\Rowan\Local Settings\Temp\dia1.exe -> Heuristic.Win32.Dialer : Cleaned with backup
G:\Documents and Settings\Rowan\Local Settings\Temp\dia5.exe -> Dialer.Generic : Cleaned with backup
G:\Documents and Settings\Rowan\Local Settings\Temp\dia6.exe -> Dialer.Generic : Cleaned with backup
G:\Documents and Settings\Rowan\Local Settings\Temporary Internet Files\Content.IE5\PKT5VYI4\rotate[1].js -> Spyware.BookedSpace : Cleaned with backup
G:\hijakthis\backup-20050120-100958-824.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
G:\hijakthis\backup-20050120-100958-962.dll -> TrojanDownloader.Agent.de : Cleaned with backup
G:\hijakthis\hijackthis.zip/backup-20050120-100958-702.dll -> Dialer.Generic : Cleaned with backup
G:\hijakthis\hijackthis.zip/backup-20050120-100958-824.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
G:\hijakthis\hijackthis.zip/backup-20050120-100958-962.dll -> TrojanDownloader.Agent.de : Cleaned with backup
G:\Program Files\Srng\SNHelper.dll -> Spyware.ShopNav : Cleaned with backup
G:\Program Files\Srng\SrngUtil.exe -> Spyware.ShopNav : Cleaned with backup
G:\Program Files\Zipclix\zipclix.dll -> Spyware.ZipClix : Cleaned with backup
G:\WINDOWS\2020search.dll -> Spyware.IeSearchBar : Cleaned with backup
G:\WINDOWS\Downloaded Program Files\2020Search.dll -> Spyware.IeSearchBar : Cleaned with backup
G:\WINDOWS\mssvr.exe -> Spyware.IeSearchBar : Cleaned with backup
G:\WINDOWS\svchost.exe -> Spyware.ShopNav : Cleaned with backup
G:\zip\uninstall6_76.exe -> Spyware.NewDotNet : Cleaned with backup


::Report End




Logfile of HijackThis v1.97.7
Scan saved at 09:02:26, on 12/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\mxpljy.exe
C:\Program Files\ZipCentral\ZCentral.exe
C:\DOCUME~1\Derek\LOCALS~1\Temp\_ZCTmp.Dir\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {31E316DA-D7AD-5C5B-1F67-B06C54DF6854} - C:\DOCUME~1\Derek\APPLIC~1\EXTRAI~1\SlowSurf.exe (file missing)
O2 - BHO: (no name) - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ashampoo\ASHAMP~2\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - HKLM\..\Run: [mctask] C:\WINDOWS\system32\mctask.exe /allservice
O4 - HKLM\..\Run: [eTrust Realtime Monitor] C:\WINDOWS\system32\realmon.exe /start
O4 - HKLM\..\Run: [REAL] C:\Program Files\REAL\realjbox.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SHA256] C:\Program Files\SHA256\secure.exe
O4 - HKLM\..\Run: [WIZZ] C:\Program Files\WIZZ\dazzler.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKLM\..\Run: [rasmhuz] C:\WINDOWS\system32\mxpljy.exe r
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\ashampoo\ASHAMP~2\PopUpKiller.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\Secretmaker\secretmaker.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra 'Tools' menuitem: Launch Copernic Agent (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/minicl...pGameLoader.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Hi trogg...I just noticed you are running a very old version of HijackThis - version 1.97.7. It's up to version 1.99.1 now, and we need to see what that log shows.

Once again, please read Angoid's tutorial that I linked to, get the newest version of HJT from the link in that article, save it to the correct location, then post back with a fresh log so we can finish the cleanup.

Ewido has been very effective with the type of infection you have on that system. However, it's a relatively new product, so I can't comment as to its overall effectiveness. It is not a replacement for an antivirus scanner like Pc-cillin. AV programs do not pick up much of this kind of malicious adware as the signatures (code strings) are quite different from those of viruses. You need both an antivirus scanner and an adware/spyware scanner used in tandem.

Moving this to the Malicious Code forum.

HI

Here is here is another run with the lastest HJT.

Thanks once again


Trogg

Logfile of HijackThis v1.99.1
Scan saved at 08:05:58, on 14/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon06.exe
C:\VEXPLITE\MONLITE.EXE
C:\PROGRA~1\ashampoo\ASHAMP~2\PopUpKiller.exe
C:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\VEXPLITE\VIRITEXP.EXE
C:\Documents and Settings\Derek\Desktop\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {31E316DA-D7AD-5C5B-1F67-B06C54DF6854} - C:\DOCUME~1\Derek\APPLIC~1\EXTRAI~1\SlowSurf.exe (file missing)
O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ashampoo\ASHAMP~2\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - HKLM\..\Run: [mctask] C:\WINDOWS\system32\mctask.exe /allservice
O4 - HKLM\..\Run: [eTrust Realtime Monitor] C:\WINDOWS\system32\realmon.exe /start
O4 - HKLM\..\Run: [REAL] C:\Program Files\REAL\realjbox.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SHA256] C:\Program Files\SHA256\secure.exe
O4 - HKLM\..\Run: [WIZZ] C:\Program Files\WIZZ\dazzler.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\ashampoo\ASHAMP~2\PopUpKiller.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/minicl...pGameLoader.dll
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Hi trogg...still some cleaning up to do.

Close all open windows, then run a HJT scan and put checks in the boxes next to these lines:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {31E316DA-D7AD-5C5B-1F67-B06C54DF6854} - C:\DOCUME~1\Derek\APPLIC~1\EXTRAI~1\SlowSurf.exe (file missing)

O4 - HKLM\..\Run: [mctask] C:\WINDOWS\system32\mctask.exe /allservice

O4 - HKLM\..\Run: [eTrust Realtime Monitor] C:\WINDOWS\system32\realmon.exe /start

O4 - HKLM\..\Run: [SHA256] C:\Program Files\SHA256\secure.exe

O4 - HKLM\..\Run: [WIZZ] C:\Program Files\WIZZ\dazzler.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Click on 'Fix checked'.

BTW, I included the 04 in red because it's a leftover of a previous eTrust installation.

Boot to safe mode as before and make all files/folders visible:

QUOTE

* Click Start.     * Open My Computer.     * Select the Tools menu and click Folder Options.     * Select the View Tab.     * Under the Hidden files and folders heading select Show hidden files and folders.     * Uncheck the Hide protected operating system files (recommended) option.     * Click Yes to confirm.     * Click OK.

Run another full Ewido scan and save the log. We need to get this bugger:

C:\WINDOWS\svcproc.exe

See if you can locate it and delete it manually. Also locate and delete these:

C:\DOCUME~1\Derek\APPLICATION DATA\EXTRAI~1 << Folder

C:\WINDOWS\system32\mctask.exe

C:\Program Files\SHA256 << Folder

C:\Program Files\WIZZ

Post the new Ewido log you saved as well as another HJT log from normal mode (after the above steps).

Hi
Thanks once again what a great service you guy's run. The really bad popup seems (fingers crossed) to have gone.

I have followed your instructions and here is the last logs I hope!!

Kind regards


Trogg

Logfile of HijackThis v1.99.1
Scan saved at 20:39:25, on 16/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijack 120805\HijackThis.exe

O2 - BHO: IE PopUp-Killer ; Neikeisoft - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\ashampoo\ASHAMP~2\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\msgr.en-us.en-gb\msntb.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar.dll (file missing)
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AdsBlocker] C:\Program Files\AdsBlocker\stopAds.exe
O4 - HKLM\..\Run: [REAL] C:\Program Files\REAL\realjbox.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [VIRIT LITE MONITOR] C:\VEXPLITE\MONLITE.EXE
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\PROGRA~1\ashampoo\ASHAMP~2\PopUpKiller.exe
O4 - HKCU\..\Run: [UIWatcher] C:\Program Files\ashampoo\Ashampoo UnInstaller Suite\UIWatcher.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/minicl...pGameLoader.dll
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:30:57, 16/08/2005
+ Report-Checksum: 97B935C8

+ Scan result:

C:\Documents and Settings\Derek\Cookies\derek@1xxx.cqcounter[1].txt -> Spyware.Cookie.Cqcounter : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@adviva[1].txt -> Spyware.Cookie.Adviva : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@counter16.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@counter6.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@counter7.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@cz8.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@sexlist[1].txt -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@vip.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Derek\Cookies\derek@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\WINDOWS\system32\achzcgy.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\adcftcs.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\aetndil.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\azsqaac.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\bavzdme.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\bfpnhs.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\bsbosoo.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\cvhdgz.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\gfnfvm.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\hweccqq.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\icyiyst.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\idxiraj.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\ijuldq.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\iniahaq.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\izhjoy.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\jtdwbi.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\kbjxrnw.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\klmpgbp.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\ldwcok.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\lkwdqa.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\llijlcm.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\mjrwsf.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\nilsnr.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\nldlmh.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\ofvfjwx.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\oghtusd.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\onezby.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\orjxzk.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\oszcbpr.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\pxvufor.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\qcsmqy.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\rbhscfz.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\tccmjug.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\tvajoe.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\tzowngk.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\ujtenp.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\vjvjec.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\vrzowpv.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\vsvbjq.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\wjdbks.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\xanxbq.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\yefwji.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\yieicr.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\zneqbib.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\__delete_on_reboot__iqkelr.exe -> Trojan.Agent.gp : Cleaned with backup


::Report End

Hi Trogg...that looks clean, but I see it was run from safe mode.

Please generate another log in normal mode and post it. Nothing loads except the very basics in safe mode, so we're not getting any details on running processes.