Recurring Pop-up on windows tray [RESOLVED]

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
===================================================
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
===================================================

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Hello.

Sorry for the delay, but i havent been able to access my computer much due to the holidays and all that. I followed your instructions and it seems to have fixed it. those pop-ups are gone now. but my computer is performing quite slowly since then...i cant figure out why. also, i dont know if this is related in anyway, but my google seems to have gone down and this isnt happening to anyone else. all the google domains thast have tried have been unresponsive...gmail included, but the news.google is the only one working. strange. again, im quite a novice here and i dont know if this is related to the virus i had, but since i cleaned up the virus i havent been able to access google. i have tried changing inter explorers setting, and tried accessing google on firefox and netscape with no luck. anyways, here are the logs you requested. thanks again for your help and i hope you had a merry christmas and a happy new year to come.


+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00648569-1164-8F09-369E-5F1D4CF3EB7A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0E677C13-0072-F800-99BE-2283DB292E1F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1082088A-E784-5093-F9A0-07E5588FA67C} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{145E6FB1-1256-44ed-A336-8BBA43373BE6} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1A15F225-55D1-2004-F817-B224A68490B9} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{25ABB624-07B4-7709-119D-4C9FB375AB79} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{292B04EC-6483-FC6A-77F9-29A441F0ED52} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2CEDF703-7B1D-11EA-9346-27AA2F77086D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2FDECE36-9908-3C07-94EF-739590374096} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{35E34195-6EC7-9FF7-74E1-8DBD6B07E389} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3757D8EC-FD1D-A2F5-366B-C8C2FEE89B04} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4AEDA6FC-6816-F03C-12F8-CDE056451F16} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{569A8D32-0108-F6A7-6EE3-9094FC97B318} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5E4566F7-825D-2817-0598-1949854654D5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6542A967-1F9A-0252-366F-EB61AF2E0E58} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6827E44A-FCD1-5704-0FF9-EE64FBCBD77F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{81A1550A-A544-72D8-F0E6-372BEE4FA644} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8327E127-2658-4B06-86B0-8D575DE1575B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{ABCE7D97-8F61-AE41-A751-767BDB1A0E6A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AF451484-05EA-655A-4EE7-4B4F9A677388} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B2561711-375A-C5C2-DBF9-4F87C6CDEC0E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B599C57E-113A-4488-A5E9-BC552C4F1152} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B75F75B8-93F3-429D-FF34-660B206D897A} -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B8255E59-0880-9B47-95C1-239AD27A1D62} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C8D54406-6EF3-7F0E-38BB-D6313B9FD92D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E004800A-73C6-4587-B855-98D0CE0C16B1} -> Spyware.BrowserAid : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E8D572F2-ADEF-B062-2E5A-573A092BD258} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F4BF9913-CC48-121B-F8DE-11BD3C45410F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501} -> Spyware.SimpleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77} -> Spyware.SimpleBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.activator.1 -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.ParamWr.1 -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CLSID -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar\CurVer -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Classes\ZToolbar.StockBar.1 -> Spyware.Azsearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{10000000-1000-0000-1000-000000000000} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\CLSID -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Best Search Engine!!! -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-1220945662-651377827-839522115-1003\Software\Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1220945662-651377827-839522115-1003_Classes\CLSID\{0656A137-B161-CADD-9777-E37A75727E78} -> Dialer.Generic : Cleaned with backup
[1588] C:\winstall.exe -> Trojan.Small : Cleaned with backup
:mozilla.50:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.51:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.52:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.53:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.54:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.55:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.56:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.57:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.58:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.59:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.60:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.62:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.63:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.66:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.67:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.69:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.70:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.75:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.77:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.83:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned with backup
:mozilla.91:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.92:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.95:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.109:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.110:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.111:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.112:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.122:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Estat : Cleaned with backup
:mozilla.123:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.124:C:\Documents and Settings\user1\Application Data\Netscape\NSB\Profiles\1yqad652.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@247realmedia[2].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Adition : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Counted : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Xhit : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Inet-cash : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@hotlog[2].txt -> Spyware.Cookie.Hotlog : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@overture[2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@paycounter[2].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@pro-market[1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@spylog[2].txt -> Spyware.Cookie.Spylog : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Onestat : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@trafic[1].txt -> Spyware.Cookie.Trafic : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@weborama[2].txt -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][1].txt -> Spyware.Cookie.Smartadserver : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\user1\Cookies\user1@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\user1\Cookies\[email protected][2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\713.tmp -> Trojan.Small : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\719.tmp -> Trojan.Small.ga : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@bluestreak[2].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@ivwbox[2].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@weborama[2].txt -> Spyware.Cookie.Weborama : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\user1@xxxcounter[1].txt -> Spyware.Cookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\user1\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Program Files\Internet Explorer\swjlnwlk.exe -> Downloader.Small.aar : Cleaned with backup
C:\WINDOWS\cdplayer.ini:xbeye -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cdplayer.ini:zyvhr -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\hh.exe:ftkiu -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jautoexp.dat:afqhu -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\kmiyn.txt:auljy -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\n_hylhmk.dat:dosaa -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\n_kycdaj.txt:cvohv -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\n_mnffbt.dat -> Downloader.Agent.jb : Cleaned with backup
C:\WINDOWS\n_rndeai.dat -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\n_xljydt.txt -> Downloader.Agent.jb : Cleaned with backup
C:\WINDOWS\regedit.exe:adfxh -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Santa Fe Stucco.bmp:xcnfc -> Downloader.Agent.kd : Cleaned with backup
C:\WINDOWS\system32\dllcache\hh.exe:ftkiu -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\dllcache\regedit.exe:adfxh -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\system32\dllcache\twain_32.dll:lzeky -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\system32\ztoolbar.bmp -> Spyware.TNS-Search : Cleaned with backup
C:\WINDOWS\TASKMAN.EXE:symev -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\twain_32.dll:lzeky -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\vmmreg32.dll:lntgz -> Downloader.Agent.kd : Cleaned with backup
C:\WINDOWS\vwyju.txt:fliqc -> Downloader.Agent.bc : Cleaned with backup
C:\WINDOWS\wdwof.txt:qnlby -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\win.ini:dnmmt -> Downloader.Agent.kd : Cleaned with backup
C:\WINDOWS\WMSysPrx.prx:lzofw -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\_default.pif:ajgdv -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:dtcra -> Trojan.Agent.bi : Cleaned with backup
C:\winstall.exe -> Trojan.Small : Cleaned with backup


::Report End


Incident Status Location

Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\Sign Ball Way Site\GramMapi.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\StylePartPhoneGrey\open data.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\All Users\Application Data\StylePartPhoneGrey\that stupid.exe
Adware:adware/azesearch Not desinfected C:\Documents and Settings\All Users\Start Menu\PopUp Blocker.lnk
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user1\Application Data\Compsignrule\bonepollscrchin.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user1\Application Data\Compsignrule\gcvclkvl.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user1\Application Data\Compsignrule\iqhhokfo.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user1\Application Data\Compsignrule\npwfsseq.exe
Adware:Adware/Lop Not desinfected C:\Documents and Settings\user1\Application Data\Compsignrule\nrnktzzd.exe
Adware:adware/cws.searchmeup Not desinfected C:\Documents and Settings\user1\Favorites\Today's Specials.url
Adware:Adware/RazeSpyware Not desinfected C:\WINDOWS\efefdfddfsdh.tmp
Adware:adware/dyfuca Not desinfected C:\WINDOWS\nem220.dll
Adware:adware/powersearch Not desinfected C:\WINDOWS\system32\stlb2.xml
Logfile of HijackThis v1.99.1
Scan saved at 9:35:23 PM, on 12/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Borland\Interbase\Bin\IBServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\user1\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [717.tmp] C:\DOCUME~1\user1\LOCALS~1\Temp\717.tmp.exe
O4 - HKLM\..\Run: [717.tmp.exe] C:\DOCUME~1\user1\LOCALS~1\Temp\717.tmp.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.google.ca
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100557798970
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBServer.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 12/26/2005
The current time is: 21:37:10.68

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

Download CWShredder here to its own folder.
Download about:buster by RubbeRDuckY Here.

Update CWShredder

* Open CWShredder and click I AGREE
* Click Check For Update
* Close CWShredder

Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Please run about:buster by RubbeRDuckY:

• Click Begin Removal.
• Click Yes to allow it to shutdown explorer.exe.
• It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
• When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
• Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Download http://osc.geekstogo...rviceremove.reg run it it will ask to merge into the registery say yes.

Post the about:buster log, CWShredder results and a New Hijackthis log here in a reply.

Hi

i downloaded the programs as you asked. cwsshredder didnt find anything. about:buster would return an error message whenever i tried to run it. the message is "run time error "6" overflow". i tried running it several times(always safe mode" and restarted thee cpu several time in safe mode with the same error message popping up everytime. dont know how to proceed from here. regards

I will post back tommorow im off for the night.

ok.

thanks again for your help

good night

Post a new Hijackthis log here in a reply.

good morning,

just wanted to let you know that google is working again and system performance has improved considerably this morning..and i havent done anything since i last contacted you. heres the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:26:14 AM, on 12/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Borland\Interbase\Bin\IBServer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Documents and Settings\user1\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - HKLM\..\Run: [717.tmp] C:\DOCUME~1\user1\LOCALS~1\Temp\717.tmp.exe
O4 - HKLM\..\Run: [717.tmp.exe] C:\DOCUME~1\user1\LOCALS~1\Temp\717.tmp.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.google.ca
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100557798970
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBServer.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://pchowtos.co.u...tion=view&id=34

2. Open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O4 - HKLM\..\Run: [717.tmp] C:\DOCUME~1\user1\LOCALS~1\Temp\717.tmp.exe
O4 - HKLM\..\Run: [717.tmp.exe] C:\DOCUME~1\user1\LOCALS~1\Temp\717.tmp.exe

3. Reboot and Delete the files. (if present)

C:\Documents and Settings\user1\Local Settings\Temp\717.tmp.exe

4. Then post a new Hijackthis log here in a reply.

I did what u asked, the files you asked me to delete in the temp folder were not present. heres the updated hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:16:40 AM, on 12/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Borland\Interbase\Bin\IBServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user1\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Anti-Blaxx Manager] C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
O4 - Global Startup: Image Transfer.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.google.ca
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100557798970
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBServer.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Your log is clean

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

• Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
• Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
• How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
• How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.

I also suggest that you delete any files from "temp", "tmp" folders. In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files" and select the box that says "Delete All Offline Content" and click on "OK" twice. Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin". These steps should be done on a regular basis.

thats good news. i cant tell you how much i appreacite your help. happy holidays

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.